Zend\View\Helper\ServerUrl were found
to be improperly parsing HTTP headers for proxy information, which could
potentially allow an attacker to spoof a proxied IP or host name.
Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server,
the detection of the proxy URL was incorrect, and could lead to invalid results
on subsequent lookups.
Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper
would always generate a URL based on the proxy host, regardless of whether or
not this was desired; additionally, it did not take into account the proxy port
or protocol, if provided.
A new class,
Zend\Http\PhpEnvironment\RemoteAddress, was developed to provide
reusable code surrounding the detection of a client IP via proxy headers, and
Zend\Session\Validator\RemoteAddr was refactored to consume this class. This
ServerUrl view helper was modified as follows:
X-Forwarded-Hostheader, support for detecting the proxy port (via the
X-Forwarded-Portheader) and proxy protocol (via the
X-Forwarded-Protoheader) was added. This patch has been applied starting in versions 2.0.5 of Zend Framework, as well as to the 2.1 development branch.
If you are using any of the components listed, we recommend upgrading to 2.0.5 or greater.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org