Описание
ZendFramework Potential Proxy Injection Vulnerabilities
Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.
In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.
In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.
Ссылки
- https://github.com/zendframework/zendframework/commit/1040acaf70d297ec7214934d8ddc3e811d249b5c
- https://github.com/zendframework/zendframework/commit/ad8fdc3378710b7cfbe2a271dbb0e3256cffb599
- https://github.com/zendframework/zendframework/commit/ada1fab92f6d5c7ad96c5a63f3196d925e3f5887
- https://github.com/zendframework/zendframework/commit/b914ecdd4d17ab5b61f15ccdc02a6e9b255b15d8
- https://github.com/zendframework/zendframework/commit/c3819abbf2c9571069c893d27ae6170bda413925
- https://github.com/zendframework/zendframework/commit/cfaf5ea095c93f3e70343358a3a88c3924d7ed7d
- https://framework.zend.com/security/advisory/ZF2012-04
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2012-04.yaml
Пакеты
zendframework/zendframework
>= 2.0.0, < 2.0.5
2.0.5
5.9 Medium
CVSS3
Дефекты
5.9 Medium
CVSS3