zend-diactoros (and, byextension,Expressive),zend-http (and, by extension,Zend Framework MVC projects),andzend-feed (specifically, itsPubSubHubbub sub-component) each contain a potential URL rewrite exploit. Ineach case, marshaling a request URI includes logic that introspects HTTP requestheaders that are specific to a given server-side URL rewrite mechanism.
When these headers are present on systems not running the specific URL rewritingmechanism, the logic would still trigger, allowing a malicious client or proxyto emulate the headers to request arbitrary content.
In each of the affected components, we have removed support for the specificrequest headers. Users can provide support within their applications tore-instate the logic if they are using the specific URL rewrite mechanism; usersare encouraged to filter these headers in their web server prior to any rewritesto ensure their validity.
The patch resolving the vulnerability is available in:
Zend Framework MVC, Apigility, and Expressive users will receive relevantupdated components viacomposer update.
We highly recommend all users of affected projects update immediately.
The Zend Framework team thanks the following for identifying the issues andworking with us to help protect its users:
Released 2018-08-01
Have you identified a security vulnerability?
Please report it to us atzf-security@zend.com
© 2006-2022 byZend byPerforce. Made with by awesomecontributors.
This website is built usingzend-expressive and it runs onPHP 7.
