标题: Local file disclosure via XXE injection 影响产品: Zend Framework 影响版本: 1.11.11 1.12.0 RC1 2.0.0 beta4 and earlier versions / branches 已修正版本: 1.11.12 1.12.0 RC2 2.0.0 beta5 / trunk 发现者: K. Gudinavicius SEC Consult Vulnerability Lab 开发者介绍: ------------------- "Extending the art & spirit of PHP , Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorously tested agile codebase. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and consuming widely available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as well as API providers and cataloguers like StrikeIron and ProgrammableWeb." 摘自: http://framework.zend.com/about/overview 缺陷概述: ----------------------------------- The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks (both server and client). The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. Other software that uses the XmlRpc package of Zend Framework is then also vulnerable to XML eXternal Entity Injection attacks! 证明测试: ----------------- For example, the loadXml function (Zend\XmlRpc\Request.php and Response.php) fails to disable external entities when parsing XML data. There is no call to the libxml_disable_entity_loader function before initializing the SimpleXMLElement class. Related code excerpt: www.2cto.com public function loadXml($request) { if (!is_string($request)) { $this->_fault = new Zend_XmlRpc_Fault(635); $this->_fault->setEncoding($this->getEncoding()); return false; } try { $xml = new SimpleXMLElement($request); } catch (Exception $e) { // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(631); $this->_fault->setEncoding($this->getEncoding()); return false; } [...] } If a web application uses the Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php) to handle XML-RPC requests, it is possible to disclose arbitrary local files from the remote system. The following HTTP POST request to the vulnerable XmlRpc server application illustrates the exploitation of this vulnerability. POST /xmlrpc_server.php HTTP/1.1 Host: $host <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <methodCall> <methodName>&xxe;</methodName> </methodCall> 解决方案: --------- 升级到最新版, 例如. * v1.11.12 * v1.12.0 RC2 * update ZF2 master trunk If you are using an older branch you are urged to upgrade! Zend framework security advisory: http://framework.zend.com/security/advisory/ZF2012-01 Download link for new releases: http://framework.zend.com/download/latest Commits: -------- http://framework.zend.com/code/log.php?repname=Zend+Framework&path=%2F * Zend Framework 1.X Trunk: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Ftrunk&rev=24970&peg=24970 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24975 * 1.11.X: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24971&peg=24971 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24972&peg=24972 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24976 * 1.12.0: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24973&peg=24973 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24977 * Zend Framework 2.0 https://github.com/zendframework/zf2/pull/1523
查看更多关于Zend Framework本地文件泄露及解决方案 - 网站安全的详细内容...