ZF2011-01: Potential XSS in Development Environment Error View Script

简介: http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.

http://mwop.net/blog/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html

Executive Summary

    The default error handling view script generated using     Zend_Tool failed to escape request parameters when run in the     "development" configuration environment, providing a potential XSS attack     vector.

Action Taken

Zend_Tool_Project_Context_Zf_ViewScriptFile was patched such     that the view script template now calls theescape() method    on dumped request variables.

Recommendations

    This particular vulnerability affects only those users who (a) are using    Zend_Tool (aka the zf CLI) to generate their     ErrorController and view script, and (b) are running that     code under the "development" configuration environment on a public-facing     web server.

    If you are running in any environment other than "development", the issue    will not present.

    There are three approaches you can take:

Make sure you set the correct application environment.

            You should only ever run in the "development" environment when             developing the application, and typically only behind a firewall.             Additionally, you should set yourAPPLICATION_ENV             environment variable via your web server's virtual host             configuration whenever possible. For public-facing hosts, set the            value to anything other than "development".       

            If you must run under the "development" application            environment on a publically accessible server, follow one of the            next two recommendations.       

Upgrade to Zend Framework 1.11.4

            Zend Framework 1.11.4 includes a patch that adds escaping to the             generatederror/error.phtml view script, ensuring that            request variables are escaped appropriately for the browser.       

            Do note, however, that this will not update any previously generated            code. You will still need to follow the next advice for previously            generated error view scripts.       

Modify your error/error.phtml view script

            If you cannot upgrade, or if you want to patch previously generated            error view scripts, do the following:       

  • Open the application/views/scripts/error/error.phtml                file from your ZF-generated project in a text editor or your                 IDE.           
  • Find the heading "Request Parameters".
  • In the line following, you'll see the following statement:
    <pre><?php echo var_export($this->request->getParams(), true) ?>
    
  • Edit the above statement to wrap the var_export                 call within a$this->escape() method call:
    <pre><?php echo $this->escape(var_export($this->request->getParams(), true)) ?>
    

            Once complete, save the file.

Other Information

Acknowledgments

    The Zend Framework team thanks the following for working with us to help     protect its users:

  • Robert Lehmann
  • Frederik Braun
  • Hubert Hesse

Reporting Potential Security Issues

    If you have encountered a potential security vulnerability in Zend     Framework, please report it to us atzf-security@zend.com. We will     work with you to verify the vulnerability and patch it.

    When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

    We request that you contact us via the email address above and give the     project contributors a chance to resolve the vulnerability and issue a new     release prior to any public exposure; this helps protect Zend Framework     users and provides them with a chance to upgrade and/or update in order to     protect their applications.

    For sensitive email communications, please use our     PGP key.

Policy

    Zend Framework takes security seriously. If we verify a reported security     vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior     minor release branch.
  • After patching the release branches, we will immediately issue new     security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site     detailing the vulnerability, as well as recommendations for end-users to     protect themselves. Security advisories will be listed athttp://framework.zend.com/security/advisories, as well as     via afeed (which is also present in the     website head for easy feed discovery)
目录
相关文章
|
6月前
|
存储 JavaScript 前端开发
Xss跨站脚本攻击(Cross Site Script)
Xss跨站脚本攻击(Cross Site Script)
|
存储 安全 JavaScript
如何修复网站XSS漏洞 过滤script等攻击参数来解决
很多公司的网站维护者都会问,到底什么XSS跨站漏洞?简单来说XSS,也叫跨站漏洞,攻击者对网站代码进行攻击检测,对前端输入的地方注入了XSS攻击代码,并写入到网站中,使用户访问该网站的时候,自动加载恶意的JS代码并执行,通过XSS跨站漏洞可以获取网站用户的cookies以及seeion值,来窃取用户的账号密码等等的攻击行为,很多客户收到了网警发出的信息安全等级保护的网站漏洞整改书,说网站存在XSS跨站漏洞,客户找到我们SINE安全公司寻求对该漏洞的修复以及解决。
3397 0
|
9月前
|
存储 安全 JavaScript
手摸手带你进行XSS攻击与防御
当谈到网络安全和信息安全时,跨站脚本攻击(XSS)是一个不可忽视的威胁。现在大家使用邮箱进行用户认证比较多,如果黑客利用XSS攻陷了用户的邮箱,拿到了cookie那么就可以冒充你进行收发邮件,那真就太可怕了,通过邮箱验证进行其他各种网站的登录与高危操作。 那么今天,本文将带大家深入了解XSS攻击与对应的防御措施。
|
5月前
|
JavaScript 安全 前端开发
同源策略如何防止 XSS 攻击?
【10月更文挑战第31天】同源策略通过对 DOM 访问、Cookie 访问、脚本执行环境和跨源网络请求等多方面的严格限制,构建了一道坚实的安全防线,有效地防止了 XSS 攻击,保护了用户在网络浏览过程中的数据安全和隐私。
158 49
|
5月前
|
安全 前端开发 Java
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第26天】Web安全是现代软件开发的重要领域,本文深入探讨了XSS和CSRF两种常见攻击的原理及防御策略。针对XSS,介绍了输入验证与转义、使用CSP、WAF、HTTP-only Cookie和代码审查等方法。对于CSRF,提出了启用CSRF保护、设置CSRF Token、使用HTTPS、二次验证和用户教育等措施。通过这些策略,开发者可以构建更安全的Web应用。
177 4
|
5月前
|
安全 Go PHP
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第27天】本文深入解析了Web安全中的XSS和CSRF攻击防御策略。针对XSS,介绍了输入验证与净化、内容安全策略(CSP)和HTTP头部安全配置;针对CSRF,提出了使用CSRF令牌、验证HTTP请求头、限制同源策略和双重提交Cookie等方法,帮助开发者有效保护网站和用户数据安全。
152 2
|
5月前
|
存储 安全 Go
Web安全基础:防范XSS与CSRF攻击的方法
【10月更文挑战第25天】Web安全是互联网应用开发中的重要环节。本文通过具体案例分析了跨站脚本攻击(XSS)和跨站请求伪造(CSRF)的原理及防范方法,包括服务器端数据过滤、使用Content Security Policy (CSP)、添加CSRF令牌等措施,帮助开发者构建更安全的Web应用。
227 3
|
5月前
|
SQL 存储 安全
什么是XSS攻击?什么是SQL注入攻击?什么是CSRF攻击?
理解并防范XSS、SQL注入和CSRF攻击是Web应用安全的基础。通过采用严格的输入验证、使用安全编码实践以及实现适当的身份验证和授权机制,可以有效防止这些常见的Web攻击,保障应用程序和用户的数据安全。
109 0
|
7月前
|
存储 安全 JavaScript
XSS跨站脚本攻击详解(包括攻击方式和防御方式)
这篇文章详细解释了XSS跨站脚本攻击的概念、原理、特点、类型,并提供了攻击方式和防御方法。
1378 1
|
6月前
|
存储 JavaScript 安全