Security

Security Advisory: ZF2015-06

ZF2015-06: XXE/XEE vector when using ZendXml on multibyte payloads

ZF2014-01 addressed potential XML eXternal Entity (XXE) injection and XML Entity Expansion (XEE) vectors in Zend Framework components that consume XML. The solution provided at the time was creation of a new component, ZendXml, which mitigates the vectors, and which we then incorporated into all components that consume XML.

However, an independent security researcher recently discovered a vector that remained open in ZendXml when running under PHP-FPM (PHP's FastCGI Process Manager) when in a threaded environment: if the XML payload is in a multibyte encoding, the heuristic we provide to detect XXE/XEE vectors can fail.

Action Taken

The underlying problem is threading support for libxml2 in PHP, which is what forced us to use a heuristic detection under PHP-FPM in the first place. That problem has been fixed in the upstream PHP project, but it only applies to PHP versions 5.5 at 5.5.22 and higher, PHP 5.6 at 5.6.6 and higher, and the PHP 7 development branch. This means that, in order to protect all users of Zend Framework, we had to create better heuristic detection when using an older version of PHP.

We updated our heuristic to do the following:

  • If a Byte Order Mark (BOM) is detected, we use that encoding for the file encoding.
  • If no BOM is present, we compare the opening characters against sequences in known encodings to determine the file encoding, defaulting to UTF-8 if no match is made.
  • The file encoding is used to determine if a charset encoding is provided in the XML declaration.
  • We loop through each of the discovered charset and file encodings to encode the sequence <!ENTITY and test for the encoded string in the document. If discovered, the heuristic fails, and we mark the document as a security violation.

For users of PHP 5.5 >= 5.5.22, PHP 5.6 >= 5.6.6, and PHP 7 development builds, we never use the heuristic, and instead use the tools provided by libxml2 to prevent external entity loading and entity expansions.

The following components/libraries were patched, at the version specified:

  • ZendXml, version 1.0.1
  • Zend Framework 1, version 1.12.14
  • Zend Framework 2, versions 2.4.6 and 2.5.2

This vulnerability has also been disclosed as CVE-2015-5161.

Recommendations

If you use any Zend Framework components that consume XML, and use or will use PHP-FPM during deployment, we recommend upgrading to one of these versions immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-08-03

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts