Package Instance

SQL Injection
Potential SQL injection vector using null byte for PDO (MsSql, SQLite).

CRLF Injection
Potential CRLF injection attacks in mail and HTTP headers.

ZendFramework potential XML eXternal Entity injection vectors
Numerous components utilizing PHP's `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks:

- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Improper Authentication
The (1) `Zend_Ldap` class in Zend and (2) `Zend
dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

ZendFramework1 Potential SQL injection in the ORDER implementation of Zend_Db_Select
The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.

For instance, the following code is affected by this issue:
```
$db     = Zend_Db::factory( /* options here */ );
$select = $db->select()
->from(array('p' => 'products'))
->order('MD5(1); drop table products');
echo $select;
```
This code produce the string:
```
SELECT "p".* FROM "products" AS "p" ORDER BY MD5(1);drop table products ASC
```
instead of the correct one:
```
SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC
```
The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.

SQL Injection
Potential SQL injection in the ORDER implementation of `Zend_Db_Select`.

Improper Authentication
Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer.

ZendFramework1 Potential Insufficient Entropy Vulnerability
We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls:
```
Zend_Ldap_Attribute::createPassword
Zend_Form_Element_Hash::_generateHash
Zend_Gdata_HttpClient::filterHttpRequest
Zend_Filter_Encrypt_Mcrypt::_srand
Zend_OpenId::randomBytes
```
In each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Moreover, we discovered a potential security issue in the usage of the [openssl_random_pseudo_bytes()](http://php.net/manual/en/function.openssl-random-pseudo-bytes.php) function in Zend_Crypt_Math::randBytes, reported in PHP BUG [#70014](https://bugs.php.net/bug.php?id=70014), and the security implications reported in a discussion [on the random_compat library.](https://github.com/paragonie/random_compat/issues/96)

Improper Restriction of XML External Entity Reference
Potential XML eXternal Entity injection vectors in Zend Framework 1 `Zend_Feed` component.

Zendframework potential security issue in login mechanism
Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.

Improper Restriction of XML External Entity Reference
Potential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`.

Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability
In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

ZendFramework potential XML eXternal Entity injection vectors
`Zend_Feed_Rss` and `Zend_Feed_Atom` were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections.

A similar issue was fixed for 1.11.13 and 1.12.0, in the `Zend_Feed::import()` factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable.

Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)
The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

Security Misconfiguration Vulnerability
Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of

SQL Injection
SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte.

SQL injection vector using null byte for PDO
The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters.

Cross-site Scripting
Potential XSS vector in `Zend_Service_ReCaptcha_MailHide`.

Cross-site Scripting
XSS vector in `Zend_Filter_StripTags`.

Cross-Site Scripting
Potential XSS in Development Environment Error View Script.

Cross-site Scripting
Potential XSS vector in `Zend_Dojo_View_Helper_Editor`.

Cross-site Scripting
Potential XSS vectors due to inconsistent encodings.

Improper Restriction of XML External Entity Reference
Local file disclosure via XXE injection in `Zend_XmlRpc`.

Cross-Site Scripting
Potential Security Issues in Bundled Dojo Library.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
File Inclusion vector in `Zend_View::setScriptPath()` and `render()`.

Cross-site Scripting
Potential XSS vector in `Zend_Filter_StripTags` when comments allowed.

Improper Restriction of XML External Entity Reference
Denial of Service vector via XEE injection.

Cross-Site Scripting
Potential Security Issues in Bundled Dojo Library.

Zend Framework XXE Vulnerability
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.