开发者社区> cnbird> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

ZF2011-01: Potential XSS in Development Environment Error View Script

简介: http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.
+关注继续查看

http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html

Executive Summary

    The default error handling view script generated using     Zend_Tool failed to escape request parameters when run in the     "development" configuration environment, providing a potential XSS attack     vector.

Action Taken

Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such     that the view script template now calls theescape() method    on dumped request variables.

Recommendations

    This particular vulnerability affects only those users who (a) are using    Zend_Tool (aka the zf CLI) to generate their     ErrorController and view script, and (b) are running that     code under the "development" configuration environment on a public-facing     web server.

    If you are running in any environment other than "development", the issue    will not present.

    There are three approaches you can take:

Make sure you set the correct application environment.

            You should only ever run in the "development" environment when             developing the application, and typically only behind a firewall.             Additionally, you should set yourAPPLICATION_ENV             environment variable via your web server's virtual host             configuration whenever possible. For public-facing hosts, set the            value to anything other than "development".       

            If you must run under the "development" application            environment on a publically accessible server, follow one of the            next two recommendations.       

Upgrade to Zend Framework 1.11.4

            Zend Framework 1.11.4 includes a patch that adds escaping to the             generatederror/error.phtml view script, ensuring that            request variables are escaped appropriately for the browser.       

            Do note, however, that this will not update any previously generated            code. You will still need to follow the next advice for previously            generated error view scripts.       

Modify your error/error.phtml view script

            If you cannot upgrade, or if you want to patch previously generated            error view scripts, do the following:       

  • Open the application/views/scripts/error/error.phtml                file from your ZF-generated project in a text editor or your                 IDE.           
  • Find the heading "Request Parameters".
  • In the line following, you'll see the following statement:
    <pre><?php echo var_export($this->request->getParams(), true) ?>
    
  • Edit the above statement to wrap the var_export                 call within a$this->escape() method call:
    <pre><?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
    

            Once complete, save the file.

Other Information

Acknowledgments

    The Zend Framework team thanks the following for working with us to help     protect its users:

  • Robert Lehmann
  • Frederik Braun
  • Hubert Hesse

Reporting Potential Security Issues

    If you have encountered a potential security vulnerability in Zend     Framework, please report it to us atzf-security@zend.com. We will     work with you to verify the vulnerability and patch it.

    When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

    We request that you contact us via the email address above and give the     project contributors a chance to resolve the vulnerability and issue a new     release prior to any public exposure; this helps protect Zend Framework     users and provides them with a chance to upgrade and/or update in order to     protect their applications.

    For sensitive email communications, please use our     PGP key.

Policy

    Zend Framework takes security seriously. If we verify a reported security     vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior     minor release branch.
  • After patching the release branches, we will immediately issue new     security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site     detailing the vulnerability, as well as recommendations for end-users to     protect themselves. Security advisories will be listed athttp://framework.zend.com/security/advisories, as well as     via afeed (which is also present in the     website head for easy feed discovery)

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
TypeError: __init__() takes 1 positional argument but 5 were given
TypeError: __init__() takes 1 positional argument but 5 were given
78 0
谷歌最新姿势识别模型Pr-VIPE,怎么变都能认得你 | ECCV2020
近日,Google引入了将二维人体姿态映射到视图不变概率嵌入空间的Pr-VIPE模型,使用15块CPU在一天时间内即可完成训练。该模型中学习到的嵌入,可以直接用于姿态检索、动作识别和视频对齐等应用。此外,研究人员还提出了一个交叉视图检索基准,可以用来测试其他嵌入的视图不变属性。
60 0
MAC编译OpenJDK8:error: ‘&&‘ within ‘||‘ [-Werror,-Wlogical-op-parentheses]
MAC编译OpenJDK8:error: ‘&&‘ within ‘||‘ [-Werror,-Wlogical-op-parentheses]
58 0
ls -al /usr/lib | grep libevent --- 查看libevent是否已安装
ls -al /usr/lib | grep libevent --- 查看libevent是否已安装
74 0
从零学React Native之07View
View 组件是React Native最基本的组件.绝大部分其他React Native 组件. View组件的颜色和边框 backgroundColor 键用来指定颜色. RN 0.19版本开始,只有Text和TextInput组件会继承父组件的背景颜色 Opacity键定义了View组件的透明度, 取值0-1, 0表示完全透明 borderStyle键用来设
1177 0
ZOJ 1602. Multiplication Puzzle (DP)
    地址:http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemCode=1602     题意:一排牌/卡片(一串数字),每次从这些牌中拿走一张牌(首尾两张不能拿),把前一张,这一张,后一张牌上的数字相乘的结果累加,直到只剩下两张牌为止。
815 0
Ninja: A Privilege Escalation Detection and Prevention System!
Privilege escalation is a type of vulnerability, that allows you to gain elevated access to reso...
758 0
javascript 如何正确使用getElementById,getElementsByName(), and getElementsByTagName()
WEB标准下可以通过getElementById(), getElementsByName(), and getElementsByTagName()访问DOCUMENT中的任一个标签。 (1)getElementById():                       getElementById()可以访问DOCUMENT中的某一特定元素,顾名思义,就是通过ID来取得元素,所以只能访问设置了ID的元素。
837 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
4032
文章
3
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载