Security News > 2021 > January > Zend Framework remote code execution vulnerability revealed
An untrusted deserialization vulnerability has been disclosed this week in how Zend Framework can be exploited by attackers to achieve remote code execution on vulnerable PHP sites.
"Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the destruct method of the ZendHttpResponseStream class in Stream.php," states MITRE's advisory for CVE-2021-3007.
While the actual untrusted deserialization has to come from a vulnerable application and does not exist in Zend Framework itself, the chain of classes provided by Zend allows an attacker to achieve RCE. Untrusted deserialization vulnerabilities occur in applications when encoded data being received by the application from a user or a system is not properly validated before it is decoded by the application.
Yizhou highlighted the toString method in the Gravatar class of Zend Framework had been written by its programmers in such a way that it eventually returned values that the attacker had direct control over, to execute arbitrary code.
"The code may be related to Laminas Project laminas-http. Zend Framework is no longer supported by the maintainer. However, not all Zend Framework 3.0.0 vulnerabilities exist in a Laminas Project release," states MITRE's advisory.
Update 5-Jan-2021: Clarified the gadget chain in Zend Framework may aid in achieving RCE for an application vulnerable to untrusted deserialization.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-04 | CVE-2021-3007 | Deserialization of Untrusted Data vulnerability in multiple products Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. | 9.8 |