来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] 标题: Local file disclosure via XXE injection影响产品: Zend Framework影响版本: 1.11.11 1.12.0 RC1 2.0.0 beta4 and earlier versions / branches已修正版本: 1.11.12 1.12.0 RC2 ......
|
标题: Local file disclosure via XXE injection
影响产品: Zend Framework 影响版本: 1.11.11 1.12.0 RC1 2.0.0 beta4 and earlier versions / branches 已修正版本: 1.11.12 1.12.0 RC2 2.0.0 beta5 / trunk 发现者: K. Gudinavicius SEC Consult Vulnerability Lab 开发者介绍: ------------------- "Extending the art & spirit of PHP, Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorously tested agile codebase. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and consuming widely available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as well as API providers and cataloguers like StrikeIron and ProgrammableWeb." 摘自: http://framework.zend.com/about/overview 缺陷概述: ----------------------------------- The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks (both server and client). The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. Other software that uses the XmlRpc package of Zend Framework is then also vulnerable to XML eXternal Entity Injection attacks! 证明测试: ----------------- For example, the loadXml function (Zend\XmlRpc\Request.php and Response.php) fails to disable external entities when parsing XML data. There is no call to the libxml_disable_entity_loader function before initializing the SimpleXMLElement class. Related code excerpt: www.2cto.com public function loadXml($request) { if (!is_string($request)) { $this->_fault = new Zend_XmlRpc_Fault(635); $this->_fault->setEncoding($this->getEncoding()); return false; } try { $xml = new SimpleXMLElement($request); } catch (Exception $e) { // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(631); $this->_fault->setEncoding($this->getEncoding()); return false; } [...] } If a web application uses the Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php) to handle XML-RPC requests, it is possible to disclose arbitrary local files from the remote system. The following HTTP POST request to the vulnerable XmlRpc server application illustrates the exploitation of this vulnerability. POST /xmlrpc_server.php HTTP/1.1 Host: $host <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <methodCall> <methodName>&xxe;</methodName> </methodCall> 解决方案: --------- 升级到最新版, 例如. * v1.11.12 * v1.12.0 RC2 * update ZF2 master trunk If you are using an older branch you are urged to upgrade! Zend framework security advisory: http://framework.zend.com/security/advisory/ZF2012-01 Download link for new releases: http://framework.zend.com/download/latest Commits: -------- http://framework.zend.com/code/log.php?repname=Zend+Framework&path=%2F * Zend Framework 1.X Trunk: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Ftrunk&rev=24970&peg=24970 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24975 * 1.11.X: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24971&peg=24971 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24972&peg=24972 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24976 * 1.12.0: http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24973&peg=24973 http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24977 * Zend Framework 2.0 https://github.com/zendframework/zf2/pull/1523 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
