259512 – <dev-php5/ZendFramework-1.7.5 local file inclusion / directory traversal

Bug 259512 - <dev-php5/ZendFramework-1.7.5 local file inclusion / directory traversal

Summary: <dev-php5/ZendFramework-1.7.5 local file inclusion / directory traversal

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://devzone.zend.com/article/4266-...
Whiteboard:	C4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-02-18 18:38 UTC by Tobias Scherbaum (RETIRED)
Modified:	2009-02-25 21:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tobias Scherbaum (RETIRED) gentoo-dev

2009-02-18 18:38:10 UTC

See http://weierophinney.net/matthew/archives/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html

"A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contrived; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector."

Please bump to 1.7.5

Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2009-02-19 21:17:29 UTC

I'm away from my devbox the next week or so.
But please feel free to bump and stabelize as needed.

Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev

2009-02-20 15:35:12 UTC

(In reply to comment #1)
> I'm away from my devbox the next week or so.
> But please feel free to bump and stabelize as needed.
> 

Thanks.

Added 1.7.5 (already stable for ppc), please mark as stable:
=dev-php5/ZendFramework-1.7.5

Comment 3 Brent Baude (RETIRED) gentoo-dev

2009-02-20 17:40:45 UTC

ppc64 done

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-21 15:35:37 UTC

Stable for HPPA.

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2009-02-22 12:04:50 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2009-02-25 20:52:04 UTC

amd64 stable, all arches done.

Comment 7 Matti Bickel (RETIRED) gentoo-dev

2009-02-25 21:46:08 UTC

As noted in the blog post, this vulnerability should be a non-issue with the updated version. If they turn off the default protection, they're responsible for the damage.

However, for rating and voting i would call this C4, a form of information disclosure might be possible via directory traversal.

tobi or security in general - if you disagree with the rating, please adjust and reopen. For C4 it's no glsa by default, so we're done and i will close this bug.