==================================================================== CERT-Renater Note d'Information No. 2012/VULN498 ____________________________________________________________________ DATE : 21/12/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Zend Framework versions prior to 1.11.15, 1.12.1. ====================================================================== http://framework.zend.com/security/advisory/ZF2012-05 ______________________________________________________________________ Security Advisory ZF2012-05: Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable. Action Taken A patch was applied that removes the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML(). Recommendations If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater. Other Information Acknowledgments The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users: Yury Dyachenko at Positive Research Center Reporting Potential Security Issues If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it. When reporting issues, please provide the following information: Component(s) affected A description indicating how to reproduce the issue A summary of the security vulnerability and impact We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications. For sensitive email communications, please use our PGP key. Policy Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is: We will patch the current release branch, as well as the immediate prior minor release branch. After patching the release branches, we will immediately issue new security fix releases for each patched release branch. A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery) ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================