Security Advisory: ZF2012-02

ZF2012-02: Denial of Service vector via XEE injection

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Action Taken

All locations where SimpleXML or DOMDocument were used with user input were patched. The patches mitigate the XEE vector by first calling libxml_disable_entity_loader(), and then looping through the DOMDocument children, testing if any are of type XML_DOCUMENT_TYPE_NODE; if so, an exception is raised and execution is halted.

Where SimpleXML is used, the XML is loaded first via DOMDocument and scanned as noted above; once validated, the DOMDocument instance is passed to simplexml_import_dom().

This patch has been applied starting in versions 1.11.13 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and first released with 2.0.0rc4).

Recommendations

If you are using either Zend_Dom, Zend_Feed, Zend_Soap or Zend_XmlRpc in your projects, we recommend immediately upgrading to 1.11.13 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady

Released 2012-08-20

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts