Package Instance

Session Fixation
Session validation vulnerability.

Zendframework session validation vulnerability
`Zend\Session` session validators do not work as expected if set prior to the start of a session.

For instance, the following test case fails (where `$this->manager` is an instance of `Zend\Session\SessionManager`):
```
$this
->manager
->getValidatorChain()
->attach('session.validate', array(new RemoteAddr(), 'isValid'));

$this->manager->start();

$this->assertSame(
array(
'Zend\Session\Validator\RemoteAddr' =3D> '',
),
$_SESSION['__ZF']['_VALID']
);
```
The implication is that subsequent calls to `Zend\Session\SessionManager#start()` (in later requests, assuming a session was created) will not have any validator metadata attached, which causes any validator metadata to be re-built from scratch, thus marking the session as valid.

An attacker is thus able to simply ignore session validators such as RemoteAddr or HttpUserAgent, since the "signature" that these validators check against is not being stored in the session.

CRLF Injection
Potential CRLF injection attacks in mail and HTTP headers.

Zendframework URL Rewrite vulnerability
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.

Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
Zend\Crypt\PublicKey\Rsa\PublicKey has a call to `openssl_public_encrypt()` which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

SQL Injection
Zend Framework has Potential SQL injection in PostgreSQL `Zend\Db` adapter.

Cross-Site Request Forgery (CSRF)
Cross-site request forgery (CSRF) vulnerability in `Zend/Validator/Csrf` in Zend Framework via null or malformed token identifiers.

XXE/XEE vulnerability via multibyte payloads
There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

Security Misconfiguration Vulnerability
Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of

Remote code execution in zend-mail via Sendmail adapter
A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word
Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

ZendFramework Information Disclosure and Insufficient Entropy vulnerability
In Zend Framework, `Zend_Captcha_Word` (v1) and `Zend\Captcha\Word` (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's `internal array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation.

URL Redirection to Untrusted Site (Open Redirect)
URL Rewrite vulnerability.

ZendFramework potential remote code execution in zend-mail via Sendmail adapter
When using the zend-mail component to send email via the `Zend\Mail\Transport\Sendmail transport`, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.