#php

zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/ In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks: - XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. - XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

`Zend_Filter_StripTags` is a filtering class analogous to PHP's `strip_tags()` function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag. The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected: ``` <!-- newlines before and/or after assignment: --> <a href="http://framework.zend.com/issues" onclick = "alert('Broken'); return false;">Issues</a> ``` When passed to the following code: ``` $filter = new Zend_Filter_StripTags(array('a' => array('href'))); $value = $filter->($html); ``` then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors. ## Recommendati...

An arbitrary file upload vulnerability in the image upload function of aimeos-core v2024.04 allows attackers to execute arbitrary code via uploading a crafted PHP file.

`Zend\Session` session validators do not work as expected if set prior to the start of a session. For instance, the following test case fails (where $this->manager is an instance of `Zend\Session\SessionManager`): ``` $this ->manager ->getValidatorChain() ->attach('session.validate', array(new RemoteAddr(), 'isValid')); $this->manager->start(); $this->assertSame( array( 'Zend\Session\Validator\RemoteAddr' =3D> '', ), $_SESSION['__ZF']['_VALID'] ); ``` The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid. An attacker is thus able to simply ignore session validators such as `RemoteAddr` or `HttpUserAgent`, since the "signature" that these validators check against is not being stored in the session.

When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail` transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. The following example demonstrates injecting additional parameters to the sendmail binary via the From address: ``` use Zend\Mail; $mail = new Mail\Message(); $mail->setBody('This is the text of the email.'); // inject additional parameters to sendmail command line $mail->setFrom('"AAA\" params injection"@domain', 'Sender\'s name'); $mail->addTo('hacker@localhost', 'Name of recipient'); $mail->setSubject('TestSubject'); $transport = new Mail\Transport\Sendmail(); $transport->send($mail); ``` The attack works because zend-mail filters the email addresses using the RFC 3696 specification, where the string...

Numerous components utilizing PHP's `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks: - XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. - XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. A similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.