Security

Security Advisory: ZF2012-04

ZF2012-04: Potential Proxy Injection Vulnerabilities in Multiple Zend Framework 2 Components

Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.

In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.

In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.

Action Taken

A new class, Zend\Http\PhpEnvironment\RemoteAddress, was developed to provide reusable code surrounding the detection of a client IP via proxy headers, and Zend\Session\Validator\RemoteAddr was refactored to consume this class. This code:

  • no longer searches against the non-standard Client-Ip header.
  • allows specifying the specific header to check against for proxy detection.
  • allows specifying a list of trusted proxy servers against which to mask any detected proxy IPs.
  • properly selects the right-most IP address from the list of proxy IPs.

The ServerUrl view helper was modified as follows:

  • a flag was introduced to enable/disable proxy detection.
  • proxy detection is disabled by default.
  • in addition to using the X-Forwarded-Host header, support for detecting the proxy port (via the X-Forwarded-Port header) and proxy protocol (via the X-Forwarded-Proto header) was added. This patch has been applied starting in versions 2.0.5 of Zend Framework, as well as to the 2.1 development branch.

Recommendations

If you are using any of the components listed, we recommend upgrading to 2.0.5 or greater.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Fabien Potencier

Released 2012-11-29

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts