Security News > 2021 > January > RCE ‘Bug’ Found and Disputed in Popular PHP Scripting Framework

Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack.

Impacted is Zend Framework version 3.0.0 and Laminas Project laminas-http before 2.14.2, with an estimated "Several million websites" using the framework and possibly impacted.

End of life for Zend Framework was Dec. 31, 2019, after which it was folded into the Laminas Project.

According to the maintainers, Zend Framework and Laminas Project are equivalent.

According to Yizhou, the Zend Framework 3.0.0 version has a deserialization vulnerability that can lead to remote code execution "If the content is controllable, related to the destruct method of the ZendHttpResponseStream class in Stream.php."

Proof-of-concept attack scenarios against Zend Framework and Laminas Project were posted a GitHub page maintained by security researcher Yizhou.

News URL

https://threatpost.com/rce-bug-php-scripting-framework/162773/