Vulnerabilities > CVE-2015-3154 - Injection vulnerability in Zend Framework
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-560.NASL description Upstream reported a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body separator sequence. last seen 2020-06-01 modified 2020-06-02 plugin id 84596 published 2015-07-08 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84596 title Amazon Linux AMI : php-ZendFramework (ALAS-2015-560) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2015-560. # include("compat.inc"); if (description) { script_id(84596); script_version("2.4"); script_cvs_date("Date: 2020/01/31"); script_cve_id("CVE-2015-3154"); script_xref(name:"ALAS", value:"2015-560"); script_name(english:"Amazon Linux AMI : php-ZendFramework (ALAS-2015-560)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "Upstream reported a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body separator sequence." ); # http://framework.zend.com/security/advisory/ZF2015-04 script_set_attribute( attribute:"see_also", value:"https://framework.zend.com/security/advisory/ZF2015-04" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2015-560.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update php-ZendFramework' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Auth-Adapter-Ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Apc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Libmemcached"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Memcached"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Captcha"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Mysqli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Dojo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Feed"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Search-Lucene"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Serializer-Adapter-Igbinary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-demos"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-extras"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-full"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/27"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php-ZendFramework-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Captcha-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Dojo-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Feed-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Ldap-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Pdf-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Services-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-Soap-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-demos-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-extras-1.12.13-1.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php-ZendFramework-full-1.12.13-1.11.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework / php-ZendFramework-Auth-Adapter-Ldap / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3265.NASL description Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. - CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. - CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer last seen 2020-06-01 modified 2020-06-02 plugin id 83748 published 2015-05-21 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83748 title Debian DSA-3265-1 : zendframework - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3265. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(83748); script_version("2.8"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2014-2681", "CVE-2014-2682", "CVE-2014-2683", "CVE-2014-2684", "CVE-2014-2685", "CVE-2014-4914", "CVE-2014-8088", "CVE-2014-8089", "CVE-2015-3154"); script_bugtraq_id(66358, 68031, 70011, 70378, 74561); script_xref(name:"DSA", value:"3265"); script_name(english:"Debian DSA-3265-1 : zendframework - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. - CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. - CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. - CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. - CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. - CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. - CVE-2014-8089 Jonas Sandstrom discovered a SQL injection vector when manually quoting value for sqlsrv extension, using null byte. - CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3154" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2681" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-5657" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2682" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-5657" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2683" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-6532" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2684" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-4914" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-8088" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-8089" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2015-3154" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/zendframework" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/zendframework" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3265" ); script_set_attribute( attribute:"solution", value: "Upgrade the zendframework packages. For the oldstable distribution (wheezy), these problems have been fixed in version 1.11.13-1.1+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 1.12.9+dfsg-2+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zendframework"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"zendframework", reference:"1.11.13-1.1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"zendframework-bin", reference:"1.11.13-1.1+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"zendframework-resources", reference:"1.11.13-1.1+deb7u1")) flag++; if (deb_check(release:"8.0", prefix:"zendframework", reference:"1.12.9+dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"zendframework-bin", reference:"1.12.9+dfsg-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"zendframework-resources", reference:"1.12.9+dfsg-2+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2015-8714.NASL description **Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw last seen 2020-06-05 modified 2015-06-02 plugin id 83934 published 2015-06-02 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83934 title Fedora 20 : php-ZendFramework-1.12.13-1.fc20 (2015-8714) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-8714. # include("compat.inc"); if (description) { script_id(83934); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3154"); script_xref(name:"FEDORA", value:"2015-8714"); script_name(english:"Fedora 20 : php-ZendFramework-1.12.13-1.fc20 (2015-8714)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw 'general' Session Exception during Session start - 550: Notice 'Undefined index: browser_version' - 557: doc: Zend Framework Dependencies table unreadable - 559: Fixes a typo in Zend_Validate messages for SK - 561: Zend_Date not expected year - 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation **Security** - **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1215712" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159287.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1957dfce" ); script_set_attribute( attribute:"solution", value:"Update the affected php-ZendFramework package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"php-ZendFramework-1.12.13-1.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework"); }NASL family Fedora Local Security Checks NASL id FEDORA_2015-8710.NASL description **Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw last seen 2020-06-05 modified 2015-06-02 plugin id 83933 published 2015-06-02 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83933 title Fedora 21 : php-ZendFramework-1.12.13-1.fc21 (2015-8710) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-8710. # include("compat.inc"); if (description) { script_id(83933); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3154"); script_xref(name:"FEDORA", value:"2015-8710"); script_name(english:"Fedora 21 : php-ZendFramework-1.12.13-1.fc21 (2015-8710)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw 'general' Session Exception during Session start - 550: Notice 'Undefined index: browser_version' - 557: doc: Zend Framework Dependencies table unreadable - 559: Fixes a typo in Zend_Validate messages for SK - 561: Zend_Date not expected year - 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation **Security** - **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1215712" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159292.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5b19dcbf" ); script_set_attribute( attribute:"solution", value:"Update the affected php-ZendFramework package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC21", reference:"php-ZendFramework-1.12.13-1.fc21")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-251.NASL description The previous zendframework upload incorrectly fixes CVE-2015-3154, causing a regression. This update corrects this problem. Thanks to Евгений Смолин (Evgeny Smolin) <[email protected]>. CVE-2012-6531 Pádraic Brady identified a weakness to handle the SimpleXMLElement zendframework class, allowing to remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack. CVE-2012-6532 Pádraic Brady found that remote attackers could cause a denial of service by CPU consumption, via recursive or circular references through an XML entity expansion (XEE) attack. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer last seen 2020-03-17 modified 2015-06-22 plugin id 84297 published 2015-06-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84297 title Debian DLA-251-2 : zendframework regression update NASL family Fedora Local Security Checks NASL id FEDORA_2015-8704.NASL description **Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw last seen 2020-06-05 modified 2015-06-02 plugin id 83932 published 2015-06-02 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83932 title Fedora 22 : php-ZendFramework-1.12.13-1.fc22 (2015-8704)