ZF2011-01: Potential XSS in Development Environment Error View Script

简介: http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.
+关注继续查看

http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html

Executive Summary

    The default error handling view script generated using     Zend_Tool failed to escape request parameters when run in the     "development" configuration environment, providing a potential XSS attack     vector.

Action Taken

Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such     that the view script template now calls theescape() method    on dumped request variables.

Recommendations

    This particular vulnerability affects only those users who (a) are using    Zend_Tool (aka the zf CLI) to generate their     ErrorController and view script, and (b) are running that     code under the "development" configuration environment on a public-facing     web server.

    If you are running in any environment other than "development", the issue    will not present.

    There are three approaches you can take:

Make sure you set the correct application environment.

            You should only ever run in the "development" environment when             developing the application, and typically only behind a firewall.             Additionally, you should set yourAPPLICATION_ENV             environment variable via your web server's virtual host             configuration whenever possible. For public-facing hosts, set the            value to anything other than "development".       

            If you must run under the "development" application            environment on a publically accessible server, follow one of the            next two recommendations.       

Upgrade to Zend Framework 1.11.4

            Zend Framework 1.11.4 includes a patch that adds escaping to the             generatederror/error.phtml view script, ensuring that            request variables are escaped appropriately for the browser.       

            Do note, however, that this will not update any previously generated            code. You will still need to follow the next advice for previously            generated error view scripts.       

Modify your error/error.phtml view script

            If you cannot upgrade, or if you want to patch previously generated            error view scripts, do the following:       

  • Open the application/views/scripts/error/error.phtml                file from your ZF-generated project in a text editor or your                 IDE.           
  • Find the heading "Request Parameters".
  • In the line following, you'll see the following statement:
    <pre><?php echo var_export($this->request->getParams(), true) ?>
    
  • Edit the above statement to wrap the var_export                 call within a$this->escape() method call:
    <pre><?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
    

            Once complete, save the file.

Other Information

Acknowledgments

    The Zend Framework team thanks the following for working with us to help     protect its users:

  • Robert Lehmann
  • Frederik Braun
  • Hubert Hesse

Reporting Potential Security Issues

    If you have encountered a potential security vulnerability in Zend     Framework, please report it to us atzf-security@zend.com. We will     work with you to verify the vulnerability and patch it.

    When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

    We request that you contact us via the email address above and give the     project contributors a chance to resolve the vulnerability and issue a new     release prior to any public exposure; this helps protect Zend Framework     users and provides them with a chance to upgrade and/or update in order to     protect their applications.

    For sensitive email communications, please use our     PGP key.

Policy

    Zend Framework takes security seriously. If we verify a reported security     vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior     minor release branch.
  • After patching the release branches, we will immediately issue new     security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site     detailing the vulnerability, as well as recommendations for end-users to     protect themselves. Security advisories will be listed athttp://framework.zend.com/security/advisories, as well as     via afeed (which is also present in the     website head for easy feed discovery)
目录
相关文章
|
4月前
|
Web App开发 JavaScript 前端开发
Selenium使用中报错:We\'re sorry but hr-frontend-v2 doesn\'t work properly without JavaScript enabled
Selenium使用中报错:We\'re sorry but hr-frontend-v2 doesn\'t work properly without JavaScript enabled. Please enable it to continue 这个错误提示表明目标网页要求启用JavaScript才能正常工作,而默认情况下,Selenium WebDriver是启用JavaScript的。如果遇到此错误,请按照以下步骤尝试解决问题
118 0
Selenium使用中报错:We\'re sorry but hr-frontend-v2 doesn\'t work properly without JavaScript enabled
|
8月前
|
Shell
Detected problems with app native libraries (please consult log for detail): lib.so: text relocation
Detected problems with app native libraries (please consult log for detail): lib.so: text relocation
70 0
|
SQL 算法
【hacker的错误集】html5lib使用报错Couldn‘t find a tree builder with the features you requested: html5lib
分析得出:bs4的特征没有找到:找不到具有您请求功能的树生成器:html5lib。您需要安装解析器库吗?
【hacker的错误集】html5lib使用报错Couldn‘t find a tree builder with the features you requested: html5lib
Ninja is required to load C++ extensions | 问题解决
Ninja is required to load C++ extensions | 问题解决
|
JavaScript 前端开发
String templates are not supported by current javaScript version
在idea中使用es6新语法中的反斜杠来定义一段html代码结果时会出现问题,本文带大家解决这些问题。
88 0
String templates are not supported by current javaScript version
SAP BSP source code handling - how is native html source generated by UI framework
SAP BSP source code handling - how is native html source generated by UI framework
SAP BSP source code handling - how is native html source generated by UI framework
|
XML 安全 数据格式
Code Issues 2,637 Pull requests 0 Projects 1 Wiki Security Insights Settings 使用filter node快速找到XML f
Code Issues 2,637 Pull requests 0 Projects 1 Wiki Security Insights Settings 使用filter node快速找到XML f
|
Web App开发
|
安全
Refused to load the script because it violates the following Content Security Policy directive: "scr
版权声明:本文为 testcs_dn(微wx笑) 原创文章,非商用自由转载-保持署名-注明出处,谢谢。 https://blog.csdn.net/testcs_dn/article/details/80441748 ...
2943 0