I’m a bit busy at the moment so I am going to quote directly from Matthew’s blog
Yesterday, we released Zend Framework 1.7.5. It contains a somewhat controversial security fix to Zend_View that could potentially affect some use cases of the component; I’m providing details on that security fix as well as how to work around it here.
A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contrived; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector.
The attack vector is, once again, a situation of trusting unfiltered input, but this time it’s a much more likely scenario. In this particular case, let’s say we had Zend_View configured as follows:
We then accepted the following input, and passed it to the render() method: “../../../../etc/passwd”.
The LFI vector was then triggered, as render() actually allowed for parent directory traversal.
ZF 1.7.5 now has a check for such notation (‘../’ or ‘..’), and throws an exception when detected.