网站地图    收藏   

主页 > 后端 > 网站安全 >

Zend Framework本地文件泄露及解决方案 - 网站安全

来源:自学PHP网    时间:2015-04-17 14:11 作者: 阅读:

[导读] 标题: Local file disclosure via XXE injection影响产品: Zend Framework影响版本: 1.11.11 1.12.0 RC1 2.0.0 beta4 and earlier versions / branches已修正版本: 1.11.12 1.12.0 RC2 ......

标题: Local file disclosure via XXE injection 
影响产品: Zend Framework 
影响版本: 1.11.11  1.12.0 RC1  2.0.0 beta4  and earlier versions / branches 
 
已修正版本: 1.11.12  1.12.0 RC2    2.0.0 beta5 / trunk 
发现者: K. Gudinavicius   SEC Consult Vulnerability Lab  
开发者介绍: 
 
------------------- 
 
"Extending the art & spirit of PHP, Zend Framework is based on simplicity, 
 
object-oriented best practices, corporate friendly licensing, and a rigorously 
 
tested agile codebase. Zend Framework is focused on building more secure, 
 
reliable, and modern Web 2.0 applications & web services, and consuming widely 
 
available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as 
 
well as API providers and cataloguers like StrikeIron and ProgrammableWeb." 
 
摘自: http://framework.zend.com/about/overview 
 
  缺陷概述: 
 
----------------------------------- 
 
The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity 
 
Injection attacks (both server and client). The SimpleXMLElement class 
 
(SimpleXML PHP extension) is used in an insecure way to parse XML data. 
 
External entities can be specified by adding a specific DOCTYPE element to 
 
XML-RPC requests. By exploiting this vulnerability an application may be 
 
coerced to open arbitrary files and/or TCP connections. 
 
  
 
Other software that uses the XmlRpc package of Zend Framework is then also 
 
vulnerable to XML eXternal Entity Injection attacks! 
 
  
 
证明测试: 
 
----------------- 
 
For example, the loadXml function (Zend\XmlRpc\Request.php and Response.php) 
 
fails to disable external entities when parsing XML data. There is no call to 
 
the libxml_disable_entity_loader function before initializing the 
 
SimpleXMLElement class. Related code excerpt:  www.2cto.com
 
  
 
    public function loadXml($request) 
 
    { 
 
        if (!is_string($request)) { 
 
            $this->_fault = new Zend_XmlRpc_Fault(635); 
 
            $this->_fault->setEncoding($this->getEncoding()); 
 
            return false; 
 
        } 
 
  
 
        try { 
 
            $xml = new SimpleXMLElement($request); 
 
        } catch (Exception $e) { 
 
            // Not valid XML 
 
            $this->_fault = new Zend_XmlRpc_Fault(631); 
 
            $this->_fault->setEncoding($this->getEncoding()); 
 
            return false; 
 
        } 
 
    
 
  [...] 
 
  
 
  } 
 
  
 
If a web application uses the Zend_XmlRpc_Server() class 
 
(Zend\XmlRpc\Server.php) to handle XML-RPC requests, it is possible to 
 
disclose arbitrary local files from the remote system. The following HTTP POST 
 
request to the vulnerable XmlRpc server application illustrates the 
 
exploitation of this vulnerability. 
 
  
 
POST /xmlrpc_server.php HTTP/1.1 
 
Host: $host 
 
  
 
<?xml version="1.0"?> 
 
 <!DOCTYPE foo [   
 
  <!ELEMENT methodName ANY > 
 
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 
 
<methodCall> 
 
  <methodName>&xxe;</methodName> 
 
</methodCall> 
 
  
 
解决方案: 
 
--------- 
 
升级到最新版, 例如. 
 
* v1.11.12 
 
* v1.12.0 RC2 
 
* update ZF2 master trunk 
 
  
 
If you are using an older branch you are urged to upgrade! 
 
  
 
Zend framework security advisory: 
 
http://framework.zend.com/security/advisory/ZF2012-01 
 
  
 
Download link for new releases: 
 
http://framework.zend.com/download/latest 
 
  
 
  
 
Commits: 
 
-------- 
 
http://framework.zend.com/code/log.php?repname=Zend+Framework&path=%2F 
 
  
 
* Zend Framework 1.X 
 
  Trunk: 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Ftrunk&rev=24970&peg=24970 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24975 
 
  
 
* 1.11.X: 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24971&peg=24971 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24972&peg=24972 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24976 
 
  
 
* 1.12.0:  
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2Fbranches%2F&rev=24973&peg=24973 
 
  http://framework.zend.com/code/revision.php?repname=Zend+Framework&path=%2F&rev=24977 
 
  
 
* Zend Framework 2.0 
 
  https://github.com/zendframework/zf2/pull/1523 
 
  
 
  

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论