ZF2011-01: Potential XSS in Development Environment Error View Script
2012-07-13 15:52
351 查看
http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html
Executive Summary
The default error handling view script generated usingZend_Toolfailed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector.
Action Taken
Zend_Tool_Project_Context_Zf_ViewScriptFilewas patched such that the view script template now calls the
escape()method on dumped request variables.
Recommendations
This particular vulnerability affects only those users who (a) are usingZend_Tool(aka the
zfCLI) to generate their
ErrorControllerand view script, and (b) are running that code under the "development" configuration environment on a public-facing web server.
If you are running in any environment other than "development", the issue will not present.
There are three approaches you can take:
Make sure you set the correct application environment.
You should only ever run in the "development" environment when developing the application, and typically only behind a firewall. Additionally, you should set your
APPLICATION_ENVenvironment variable
via your web server's virtual host configuration whenever possible. For public-facing hosts, set the value to anything other than "development".
If you must run under the "development" application environment on a publically accessible server, follow one of the next two recommendations.
Upgrade to Zend Framework 1.11.4
Zend Framework 1.11.4 includes a patch that adds escaping to the generated
error/error.phtmlview script, ensuring that request variables are escaped appropriately for the browser.
Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
Modify your error/error.phtml view script
If you cannot upgrade, or if you want to patch previously generated error view scripts, do the following:
Open the
application/views/scripts/error/error.phtml
file from your ZF-generated project in a text editor or your IDE.
Find the heading "Request Parameters".
In the line following, you'll see the following statement:
<pre><?php echo var_export($this->request->getParams(), true) ?>
Edit the above statement to wrap the
var_exportcall within a
$this->escape()method call:
<pre><?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
Once complete, save the file.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:Robert Lehmann
Frederik Braun
Hubert Hesse
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us atzf-security@zend.com. We will work with you to verify the vulnerability and patch it.When reporting issues, please provide the following information:
Component(s) affected
A description indicating how to reproduce the issue
A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides
them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use
our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:We will patch the current release branch, as well as the immediate prior minor release branch.
After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed athttp://framework.zend.com/security/advisories,
as well as via afeed (which is also present in the website head for easy feed discovery)
相关文章推荐
- Eclipse配置问题:Error :- java runtime environment JRE or java development kit must be available in order to run eclipse
- yum error in PREUN scriptlet when removing packages
- [Error]Namespace declaration statement has to be the very first statement in the script
- Siebel Error: Please unset any Siebel related variable in your environment before running this setup.(SBL-STJ-00198)
- 关于Error: Failed to lookup view "error" in views directory "D:\WebProgram\webBlog\views"的解决方法
- [ERROR:aw_autofill_client.cc(175)] Not implemented reached in virtual void android_webview::AwAutofi
- Writing, Building, and Running Chaincode in a Development Environment
- Error: JAVA_HOME not found in your environment. Please set the JAVA_HOME variable in your environmen
- Java Development Environment in Linux: Install and Configure Weblogic
- Siebel Error: Please unset any Siebel related variable in your environment before running this setup.(SBL-STJ-00198)
- Mac下brew安装gitk遇到错误Error in startup script: unknown color name "lime"
- TNS-12542 Error When Executing Batch Jobs or in High Transaction Environment
- maven 安装报错 Error: JAVA_HOME not found in your environment.(完美解决日志)
- Examples to disable script error, JTI debugger, etc in c# WebBrowser
- a java runtime environment(jre) or java development kit(jdk) must be avaliable in order to run Eclip
- Intermittent Invalid Viewstate Error in ASP.NET Web pages
- The development server returned response error code: 500 in react-native
- Java Development Environment in Linux: Install and Configure Oracle
- ViewState in .net Client Control xss
- TypeError: view must be a callable or a list/tuple in the case of include()