A web developer's blog. PHP, MySQL, CakePHP, Zend Framework, Wordpress, Code Igniter, Django, Python, CSS, Javascript, jQuery, Knockout.js, and other web development topics.

Zend_View security issue fixed in ZF 1.7.5

I’m a bit busy at the moment so I am going to quote directly from Matthew’s blog :P

Yesterday, we released Zend Framework 1.7.5. It contains a somewhat controversial security fix to Zend_View that could potentially affect some use cases of the component; I’m providing details on that security fix as well as how to work around it here.

A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contrived; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector.

The attack vector is, once again, a situation of trusting unfiltered input, but this time it’s a much more likely scenario. In this particular case, let’s say we had Zend_View configured as follows:


We then accepted the following input, and passed it to the render() method: “../../../../etc/passwd”.

The LFI vector was then triggered, as render() actually allowed for parent directory traversal.

ZF 1.7.5 now has a check for such notation (‘../’ or ‘..’), and throws an exception when detected.

This entry was posted in General and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>