Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nd3BtLXBtNngtaDdyas4AA8z_
ZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags`
Zend_Filter_StripTags is a filtering class analogous to PHP's strip_tags() function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag.
The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected:
<!-- newlines before and/or after assignment: -->
<a href="http://framework.zend.com/issues" onclick
=
"alert('Broken'); return false;">Issues</a>
When passed to the following code:
$filter = new Zend_Filter_StripTags(array('a' => array('href')));
$value = $filter->($html);
then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors.
Recommendations
If you were using Zend_Filter_StripTags and utlizing the attribute whitelisting functionality, you should immediately upgrade to Zend Framework 1.7.6 or above; regardless, it is always best to run the most current version of the framework.
Also, if relying on Zend_Filter_StripTags to prevent XSS, the only way to reliably do so is to strip all tags, and never to whitelist. If you are whitelisting, you should consider finding a reliable XSS filter through which to run your output; we recommend HTML Purifier.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nd3BtLXBtNngtaDdyas4AA8z_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-gwpm-pm6x-h7rj
References:
- https://framework.zend.com/security/advisory/ZF2009-02
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2009-02.yaml
- https://github.com/advisories/GHSA-gwpm-pm6x-h7rj
Affected Packages
packagist:zendframework/zendframework1
Dependent packages: 151Dependent repositories: 841
Downloads: 6,569,545 total
Affected Version Ranges: >= 1.7.0, < 1.7.6
Fixed in: 1.7.6
All affected versions:
All unaffected versions: 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20