Security

Security Advisory: ZF2015-03

ZF2015-03: Invalid CSRF validation of null or incorrectly formatted token identifiers

Zend\Validator\Csrf, starting in the Zend Framework 2.3 series, was not correctly identifying null or mal-formatted token identifiers, leading to false positive validations, and thus potentially allowing for Cross-Site Request Forgery vectors.

Action Taken

A patch was written that correctly identifies invalid token identifiers, ensuring that they invalidate the provided value.

The patch fixing the issue has been applied in the following versions:

  • Zend Framework 2.3.6

Note: in testing the patch, we discovered that the vulnerability was introduced specifically in the 2.3 series, and thus no patch was necessary against the 2.2 series.

This vulnerability has also been disclosed as CVE-2015-1786.

Recommendations

If you are using Zend\Validator\Csrf (either standalone, or within Zend\InputFilter or via Zend\Form\Element\Csrf) in the 2.3 series of Zend Framework, we recommend upgrading immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Alex Barnes, who reported the issue; and
  • Maks3w, who provided the initial patch; and
  • Enrico Zimuel, who reviewed, tested, and finalized the patch.

Released 2015-03-12

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts