-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.txt
30 lines (22 loc) · 1016 Bytes
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Zend XMLRPC Vulnerabilities Fix
Vulnerability overview/description:
-----------------------------------
The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity
Injection attacks (both server and client). The SimpleXMLElement class
(SimpleXML PHP extension) is used in an insecure way to parse XML data.
External entities can be specified by adding a specific DOCTYPE element to
XML-RPC requests. By exploiting this vulnerability an application may be
coerced to open arbitrary files and/or TCP connections.
Other software that uses the XmlRpc package of Zend Framework is then also
vulnerable to XML eXternal Entity Injection attacks!
Fix:
----
Call to the libxml_disable_entity_loader function before initializing the
SimpleXMLElement class
References:
-----------
https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt
http://www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/
Authors:
--------
Skywire - www.skywire.co.uk