Search for packages
| purl | pkg:composer/zendframework/zendframework1@1.12.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2ncq-wptr-k3ha
Aliases: ZF2015-08 |
SQL Injection Potential SQL injection vector using null byte for PDO (MsSql, SQLite). |
Affected by 10 other vulnerabilities. |
|
VCID-2xx4-77e9-pfbb
Aliases: ZF2016-02 |
Potential SQL injection The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` of ZF1 is vulnerable by the following SQL injection. |
Affected by 2 other vulnerabilities. |
|
VCID-5bm4-grk6-w7hk
Aliases: CVE-2015-3154 GHSA-5957-5crx-79jx |
CRLF Injection Potential CRLF injection attacks in mail and HTTP headers. |
Affected by 15 other vulnerabilities. |
|
VCID-6xpr-93ef-27cu
Aliases: CVE-2014-8088 GHSA-f6rc-rh43-h8gr |
Improper Authentication The (1) `Zend_Ldap` class in Zend and (2) `Zend dap` component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. |
Affected by 16 other vulnerabilities. |
|
VCID-8atm-865q-mkf3
Aliases: ZF2015-09 |
Potential Information Disclosure and Insufficient Entropy vulnerability in `Zend\Captcha\Word`. |
Affected by 7 other vulnerabilities. |
|
VCID-9bm9-b48z-zqcm
Aliases: GHSA-2x36-qhx3-7m5f |
ZendFramework1 Potential SQL injection in the ORDER implementation of Zend_Db_Select The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses. For instance, the following code is affected by this issue: ``` $db = Zend_Db::factory( /* options here */ ); $select = $db->select() ->from(array('p' => 'products')) ->order('MD5(1); drop table products'); echo $select; ``` This code produce the string: ``` SELECT "p".* FROM "products" AS "p" ORDER BY MD5(1);drop table products ASC ``` instead of the correct one: ``` SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC ``` The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string. |
Affected by 18 other vulnerabilities. |
|
VCID-a72a-7k6u-rqgr
Aliases: ZF2014-04 |
SQL Injection Potential SQL injection in the ORDER implementation of `Zend_Db_Select`. |
Affected by 18 other vulnerabilities. |
|
VCID-b1da-n1u7-43hj
Aliases: GHSA-8xhv-gqm4-3w99 |
ZendFramework1 Potential Insufficient Entropy Vulnerability We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls: ``` Zend_Ldap_Attribute::createPassword Zend_Form_Element_Hash::_generateHash Zend_Gdata_HttpClient::filterHttpRequest Zend_Filter_Encrypt_Mcrypt::_srand Zend_OpenId::randomBytes ``` In each case, the methods were using rand() or mt_rand(), neither of which can generate cryptographically secure values. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. Moreover, we discovered a potential security issue in the usage of the [openssl_random_pseudo_bytes()](http://php.net/manual/en/function.openssl-random-pseudo-bytes.php) function in Zend_Crypt_Math::randBytes, reported in PHP BUG [#70014](https://bugs.php.net/bug.php?id=70014), and the security implications reported in a discussion [on the random_compat library.](https://github.com/paragonie/random_compat/issues/96) |
Affected by 4 other vulnerabilities. |
|
VCID-bjvu-jg9w-mqdd
Aliases: CVE-2016-6233 GHSA-p9hp-3gpv-52w3 |
SQL Injection The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern `[\w]*` in a regular expression. |
Affected by 2 other vulnerabilities. |
|
VCID-c8kp-n8m3-2khe
Aliases: GHSA-6fqw-j3vm-7f66 |
Zendframework1 Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1 is vulnerable by the following SQL injection: ``` $db = Zend_Db::factory(/* options here */); $select = new Zend_Db_Select($db); $select->from('p'); $select->order("MD5(\"a(\");DELETE FROM p2; #)"); // same with group() ``` The above $select will render the following SQL statement: ``` SELECT `p`.* FROM `p` ORDER BY MD5("a(");DELETE FROM p2; #) ASC ``` instead of the correct one: ``` SELECT "p".* FROM "p" ORDER BY "MD5(""a("");DELETE FROM p2; #)" ASC ``` This security fix can be considered an improvement of the previous ZF2016-02 and ZF2014-04 advisories. As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select::quoteInto() method to filter the input data, as shown in this example: ``` $db = Zend_Db::factory(...); $input = "MD5(\"a(\");DELETE FROM p2; #)"; // user input can be an attack $order = $db->quoteInto("SQL statement for ORDER", $input); $select = new Zend_Db_Select($db); $select->from('p'); $select->order($order); // same with group() ``` |
Affected by 0 other vulnerabilities. |
|
VCID-h5yf-ahec-gbgx
Aliases: GHSA-848f-mph5-9pm9 |
Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 7 other vulnerabilities. |
|
VCID-n2gy-93nd-gber
Aliases: ZF2016-01 |
Potential Insufficient Entropy Vulnerability in ZF1. |
Affected by 4 other vulnerabilities. |
|
VCID-njsg-e1w1-9qcy
Aliases: CVE-2015-5161 GHSA-xp8p-9rq5-4wgv |
XXE/XEE vulnerability via multibyte payloads There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment. |
Affected by 14 other vulnerabilities. |
|
VCID-ps73-776n-zffn
Aliases: GHSA-v42g-7q2x-cw32 |
Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite) The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite. |
Affected by 10 other vulnerabilities. |
|
VCID-q73m-16a9-rkgx
Aliases: GMS-2015-49 |
Potential Information Disclosure and Insufficient Entropy in Zend\Captcha\Word Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This can potentially lead to information disclosure should an attacker be able to brute force the random number generation. |
Affected by 7 other vulnerabilities. |
|
VCID-q74z-645k-c7dk
Aliases: CVE-2015-5723 GHSA-pw5c-xqf2-6xc2 |
Security Misconfiguration Vulnerability Doctrine uses `mkdir($cacheDirectory )` to create caches directories. if your application runs with a umask of |
Affected by 10 other vulnerabilities. |
|
VCID-r5y8-nc2w-kqde
Aliases: CVE-2014-8089 GHSA-qh9w-r7g5-q939 |
SQL Injection SQL injection vector when manually quoting values for `sqlsrv` extension, using null byte. |
Affected by 16 other vulnerabilities. |
|
VCID-rc3w-5r97-k3b3
Aliases: ZF2016-03 |
Potential SQL injection in ORDER and GROUP functions The implementation of ORDER BY and GROUP BY in `Zend_Db_Select` is prone to SQL injection when a combination of SQL expressions and comments are used. |
Affected by 0 other vulnerabilities. |
|
VCID-sjw9-2fwe-5ybg
Aliases: ZF2016-11 |
Potential Insufficient Entropy There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the `openssl_random_pseudo_bytes()` function in `Zend_Crypt_Math::randBytes`, reported in PHP BUG #70014, and the security implications reported in a discussion on the `random_compat` library. |
Affected by 4 other vulnerabilities. |
|
VCID-uvgx-4m6v-2bg7
Aliases: CVE-2015-7695 GHSA-2hvh-c5c2-vj85 |
SQL injection vector using null byte for PDO The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. This only impacts MsSql and SQLite adapters. |
Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-649h-2f2f-nbam | ZendFramework potential XML eXternal Entity injection vectors Numerous components utilizing PHP's `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks: - XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. - XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement. |
GHSA-mhpx-3rv8-wrjm
|
| VCID-6fzg-den8-rqc8 | Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. |
CVE-2014-2681
GHSA-43xg-87xw-jpv8 |
| VCID-afnn-53q5-wqft | Improper Authentication Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer. |
ZF2014-02
|
| VCID-e9ut-smfp-7yb4 | Zendframework potential security issue in login mechanism Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework. Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed. |
GHSA-9v78-h226-2rmq
|
| VCID-grk8-aj34-hqb4 | Improper Restriction of XML External Entity Reference Potential XXE/XEE attacks using PHP functions: `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`. |
ZF2014-01
|
| VCID-tpdc-c3mz-zyd2 | Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657. |
CVE-2014-2682
GHSA-gp39-h9c2-qw79 |
| VCID-wkkp-82dc-huhr | Several Zend Products Vulnerable to XXE and XEE attacks Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532. |
CVE-2014-2683
GHSA-5wm2-38q5-5rxv |