860738 – (CVE-2012-4451) CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)

Bug 860738 (CVE-2012-4451) - CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)

Summary: CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework compo...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2012-4451
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	860744 860745
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-26 15:30 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ZendFramework 2.0.1
Clone Of:
Environment:
Last Closed:	2013-02-13 22:42:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2012-09-26 15:30:46 UTC

Multiple possibilities for cross-site scripting (XSS) flaws were corrected in upstream 2.0.1 version of Zend Framework:
[1] http://framework.zend.com/blog/zend-framework-2-0-1-released.html

More from upstream advisory - [2] http://framework.zend.com/security/advisory/ZF2012-03:

Zend\Debug, Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.

Relevant upstream patch:
[3] https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733

Comment 1 Jan Lieskovsky 2012-09-26 15:38:40 UTC

> Relevant upstream patch:
> [3]
> https://github.com/zendframework/zf2/commit/
> 27131ca9520bdf1d4c774c71459eba32f2b10733

While the above referenced upstream patch is against 2.0.1 branch, after backport / modification it would be applicable also against ZendFramework-1.x versions:

   Upstream ZF2 version:    -      Fedora / EPEL ZF1 version:
-------------------------------------------------------------
1) library/Zend/Debug/Debug.php => library/Zend/Debug.php,
2) library/Zend/Feed/PubSubHubbub/PubSubHubbub.php => library/Zend/Feed/Pubsubhubbub.php:

    141     /**
    142      * RFC 3986 safe url encoding method
    143      *
    144      * @param  string $string
    145      * @return string
    146      */
    147     public static function urlencode($string)

is the same in both versions (similarly would apply for other parts of upstream patch above).

Comment 2 Jan Lieskovsky 2012-09-26 15:39:53 UTC

This issue affects the versions of the php-ZendFramework package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the version of the php-ZendFramework package, as shipped with Fedora EPEL 6. Please schedule an update.

Comment 3 Jan Lieskovsky 2012-09-26 15:41:08 UTC

Created php-ZendFramework tracking bugs for this issue

Affects: fedora-all [bug 860744]
Affects: epel-6 [bug 860745]

Comment 4 Jan Lieskovsky 2012-09-26 15:58:56 UTC

CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/09/26/7

Comment 5 Vincent Danen 2012-09-26 20:39:47 UTC

This was assigned CVE-2012-4451:

http://www.openwall.com/lists/oss-security/2012/09/26/9

Comment 6 Felix Kaechele 2013-02-13 22:42:45 UTC

Fixed in 1.12.1 which we are shipping by now.

Note You need to log in before you can comment on or make changes to this bug.