As reported by the Doctrine Project, incorrect permissions masks when creating a new directory or file can lead to:
Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.
During an audit of the Zend Framework code base, we found several instances where we were using incorrect permissions masks that could lead to such vulnerabilities.
We identified the following projects/components with vulnerabilities by checking
for mkdir() and umask() calls:
zend-cache component, specifically the Filesystem
storage adapter and CaptureCache pattern.Zend_Cloud Filesystem storage adapter,
Zend_Search_Lucene's filesystem storage, and Zend_Service_WindowsAzure's
package scaffolder.We updated the code as follows:
0775, and files to
0664.& ~0002.The following components/libraries were patched, at the version specified:
This vulnerability was originally disclosed via the Doctrine project as CVE-2015-5723.
If you use any of the components listed above, we recommend upgrading to one of these versions immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Released 2015-09-15
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com