The default error handling view script generated using <code>Zend_Tool</code> failed to escape request parameters when run in the "development" configuration environment, providing a potential XSS attack vector.
<code>Zend_Tool_Project_Context_Zf_ViewScriptFile</code> was patched such that the view script template now calls the<code>escape()</code> method on dumped request variables.
This particular vulnerability affects only those users who (a) are using <code>Zend_Tool</code> (aka the
<code>zf</code> CLI) to generate their <code>ErrorController</code> and view script, and (b) are running that code under the "development" configuration environment on a public-facing web server.
If you are running in any environment other than "development", the issue will not present.
There are three approaches you can take:
<dl></dl>
<dt>Make sure you set the correct application environment.</dt>
<dd></dd>
You should only ever run in the "development" environment when developing the application, and typically only behind a firewall. Additionally, you should set your<code>APPLICATION_ENV</code> environment variable
via your web server's virtual host configuration whenever possible. For public-facing hosts, set the value to anything other than "development".
If you must run under the "development" application environment on a publically accessible server, follow one of the next two recommendations.
<dt>Upgrade to Zend Framework 1.11.4</dt>
Zend Framework 1.11.4 includes a patch that adds escaping to the generated<code>error/error.phtml</code> view script, ensuring that request variables are escaped appropriately for the browser.
Do note, however, that this will not update any previously generated code. You will still need to follow the next advice for previously generated error view scripts.
<dt>Modify your error/error.phtml view script</dt>
If you cannot upgrade, or if you want to patch previously generated error view scripts, do the following:
Open the <code>application/views/scripts/error/error.phtml</code><code> file from your ZF-generated project in a text editor or your IDE. </code>
Find the heading "Request Parameters".
In the line following, you'll see the following statement:
Edit the above statement to wrap the <code>var_export</code> call within a<code>$this->escape()</code> method call:
<code></code>
Once complete, save the file.
The Zend Framework team thanks the following for working with us to help protect its users:
Robert Lehmann
Frederik Braun
Hubert Hesse
When reporting issues, please provide the following information:
Component(s) affected
A description indicating how to reproduce the issue
A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides
them with a chance to upgrade and/or update in order to protect their applications.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
We will patch the current release branch, as well as the immediate prior minor release branch.
After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
![Centos 7 Apache配置虛拟主機[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)