Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The
SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to
parse XML data. External entities can be specified by adding a specific DOCTYPE
element to XML-RPC requests. By exploiting this vulnerability an application may
be coerced to open arbitrary files and/or TCP connections.
Response implementations in
Zend_XmlRpc were patched to
libxml_disable_entity_loader() is invoked prior to instantiating any
SimpleXML objects. This disables XXE parsing, and thus disables the attack
This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).
If you are using either
Zend_XmlRpc_Client in your
projects, we recommend immediately upgrading to 1.11.12 or greater.
Additional attack vectors were identified in
Zend_Soap, and patched in an identical manner.
The patches for these components are included in versions 1.11.13 and 1.12.0 of Zend Framework, and ported to the upcoming version 2.0.0 development branch (released with 2.0.0rc4). If you are using any of the affected components, we recommend upgrading to 1.11.13 or greater immediately.
The Zend Framework team thanks the following for working with us to help protect its users:
Both from SEC Consult Vulnerability Lab (www.sec-consult.com).
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org