Zend\Validator\Csrf, starting in the Zend Framework 2.3 series, was not
correctly identifying null or mal-formatted token identifiers, leading to false
positive validations, and thus potentially allowing for Cross-Site Request
A patch was written that correctly identifies invalid token identifiers, ensuring that they invalidate the provided value.
The patch fixing the issue has been applied in the following versions:
Note: in testing the patch, we discovered that the vulnerability was introduced specifically in the 2.3 series, and thus no patch was necessary against the 2.2 series.
This vulnerability has also been disclosed as CVE-2015-1786.
If you are using
Zend\Validator\Csrf (either standalone, or within
Zend\InputFilter or via
Zend\Form\Element\Csrf) in the 2.3 series of Zend
Framework, we recommend upgrading immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org