Bug 860738 (CVE-2012-4451) - CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)
Summary: CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework compo...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2012-4451
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 860744 860745
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-26 15:30 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:55 UTC (History)
2 users (show)

Fixed In Version: ZendFramework 2.0.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-13 22:42:45 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-09-26 15:30:46 UTC
Multiple possibilities for cross-site scripting (XSS) flaws were corrected in upstream 2.0.1 version of Zend Framework:
[1] http://framework.zend.com/blog/zend-framework-2-0-1-released.html

More from upstream advisory - [2] http://framework.zend.com/security/advisory/ZF2012-03:

Zend\Debug, Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.

Relevant upstream patch:
[3] https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733

Comment 1 Jan Lieskovsky 2012-09-26 15:38:40 UTC
> Relevant upstream patch:
> [3]
> https://github.com/zendframework/zf2/commit/
> 27131ca9520bdf1d4c774c71459eba32f2b10733

While the above referenced upstream patch is against 2.0.1 branch, after backport / modification it would be applicable also against ZendFramework-1.x versions:

   Upstream ZF2 version:    -      Fedora / EPEL ZF1 version:
-------------------------------------------------------------
1) library/Zend/Debug/Debug.php => library/Zend/Debug.php,
2) library/Zend/Feed/PubSubHubbub/PubSubHubbub.php => library/Zend/Feed/Pubsubhubbub.php:

    141     /**
    142      * RFC 3986 safe url encoding method
    143      *
    144      * @param  string $string
    145      * @return string
    146      */
    147     public static function urlencode($string)

is the same in both versions (similarly would apply for other parts of upstream patch above).

Comment 2 Jan Lieskovsky 2012-09-26 15:39:53 UTC
This issue affects the versions of the php-ZendFramework package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the version of the php-ZendFramework package, as shipped with Fedora EPEL 6. Please schedule an update.

Comment 3 Jan Lieskovsky 2012-09-26 15:41:08 UTC
Created php-ZendFramework tracking bugs for this issue

Affects: fedora-all [bug 860744]
Affects: epel-6 [bug 860745]

Comment 4 Jan Lieskovsky 2012-09-26 15:58:56 UTC
CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/09/26/7

Comment 5 Vincent Danen 2012-09-26 20:39:47 UTC
This was assigned CVE-2012-4451:

http://www.openwall.com/lists/oss-security/2012/09/26/9

Comment 6 Felix Kaechele 2013-02-13 22:42:45 UTC
Fixed in 1.12.1 which we are shipping by now.


Note You need to log in before you can comment on or make changes to this bug.