Security

Security Advisory: ZF2015-07

ZF2015-07: Filesystem Permissions Issues in Multiple Components

As reported by the Doctrine Project, incorrect permissions masks when creating a new directory or file can lead to:

  • Local arbitrary code execution
  • Privilege escalation

Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.

During an audit of the Zend Framework code base, we found several instances where we were using incorrect permissions masks that could lead to such vulnerabilities.

Action Taken

We identified the following projects/components with vulnerabilities by checking for mkdir() and umask() calls:

  • Zend Framework 2's zend-cache component, specifically the Filesystem storage adapter and CaptureCache pattern.
  • The admin-facing code for zf-apigility-doctrine.
  • Zend Framework 1's Zend_Cloud Filesystem storage adapter, Zend_Search_Lucene's filesystem storage, and Zend_Service_WindowsAzure's package scaffolder.

We updated the code as follows:

  • Default privileges for creating directories were set to 0775, and files to 0664.
  • If code allows specifying the permissions mask, we mask it using & ~0002.
  • This means that if you absolutely must allow world-executable privileges, you must extend the class. This leaves the framework secure by default, and is an effort to prevent developers from shooting themselves in the foot.

The following components/libraries were patched, at the version specified:

  • Zend Framework 1, version 1.12.16
  • Zend Framework 2, versions 2.4.8
  • zf-apigility-doctrine, version 1.0.3
  • zend-cache, versions 2.4.8 and 2.5.3

This vulnerability was originally disclosed via the Doctrine project as CVE-2015-5723.

Recommendations

If you use any of the components listed above, we recommend upgrading to one of these versions immediately.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2015-09-15

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts