Vulnerabilities > CVE-2015-3154 - Injection vulnerability in Zend Framework

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
zend
CWE-74
nessus

Summary

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.

Vulnerable Configurations

Part Description Count
Application
Zend
122

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-560.NASL
    descriptionUpstream reported a vulnerability in the Zend\Mail component in Zend Framework 2, specifically in how it handles headers. Headers are not correctly filtered for newlines, allowing the ability to send additional, unrelated headers and to bypass additional headers by emitting the header/body separator sequence.
    last seen2020-06-01
    modified2020-06-02
    plugin id84596
    published2015-07-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84596
    titleAmazon Linux AMI : php-ZendFramework (ALAS-2015-560)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-560.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84596);
      script_version("2.4");
      script_cvs_date("Date: 2020/01/31");
    
      script_cve_id("CVE-2015-3154");
      script_xref(name:"ALAS", value:"2015-560");
    
      script_name(english:"Amazon Linux AMI : php-ZendFramework (ALAS-2015-560)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Upstream reported a vulnerability in the Zend\Mail component in Zend
    Framework 2, specifically in how it handles headers. Headers are not
    correctly filtered for newlines, allowing the ability to send
    additional, unrelated headers and to bypass additional headers by
    emitting the header/body separator sequence."
      );
      # http://framework.zend.com/security/advisory/ZF2015-04
      script_set_attribute(
        attribute:"see_also",
        value:"https://framework.zend.com/security/advisory/ZF2015-04"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-560.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update php-ZendFramework' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Auth-Adapter-Ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Apc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Libmemcached");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Memcached");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Captcha");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Mysqli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mssql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Dojo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Feed");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Search-Lucene");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Serializer-Adapter-Igbinary");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Services");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-Soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-demos");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-extras");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php-ZendFramework-full");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Captcha-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Dojo-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Feed-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Ldap-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Pdf-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Services-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-Soap-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-demos-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-extras-1.12.13-1.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php-ZendFramework-full-1.12.13-1.11.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework / php-ZendFramework-Auth-Adapter-Ldap / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3265.NASL
    descriptionMultiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. - CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. - CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer
    last seen2020-06-01
    modified2020-06-02
    plugin id83748
    published2015-05-21
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83748
    titleDebian DSA-3265-1 : zendframework - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3265. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83748);
      script_version("2.8");
      script_cvs_date("Date: 2018/11/10 11:49:37");
    
      script_cve_id("CVE-2014-2681", "CVE-2014-2682", "CVE-2014-2683", "CVE-2014-2684", "CVE-2014-2685", "CVE-2014-4914", "CVE-2014-8088", "CVE-2014-8089", "CVE-2015-3154");
      script_bugtraq_id(66358, 68031, 70011, 70378, 74561);
      script_xref(name:"DSA", value:"3265");
    
      script_name(english:"Debian DSA-3265-1 : zendframework - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities were discovered in Zend Framework, a PHP
    framework. Except for CVE-2015-3154, all these issues were already
    fixed in the version initially shipped with Jessie.
    
      - CVE-2014-2681
        Lukas Reschke reported a lack of protection against XML
        External Entity injection attacks in some functions.
        This fix extends the incomplete one from CVE-2012-5657.
    
      - CVE-2014-2682
        Lukas Reschke reported a failure to consider that the
        libxml_disable_entity_loader setting is shared among
        threads in the PHP-FPM case. This fix extends the
        incomplete one from CVE-2012-5657.
    
      - CVE-2014-2683
        Lukas Reschke reported a lack of protection against XML
        Entity Expansion attacks in some functions. This fix
        extends the incomplete one from CVE-2012-6532.
    
      - CVE-2014-2684
        Christian Mainka and Vladislav Mladenov from the
        Ruhr-University Bochum reported an error in the
        consumer's verify method that lead to acceptance of
        wrongly sourced tokens.
    
      - CVE-2014-2685
        Christian Mainka and Vladislav Mladenov from the
        Ruhr-University Bochum reported a specification
        violation in which signing of a single parameter is
        incorrectly considered sufficient.
    
      - CVE-2014-4914
        Cassiano Dal Pizzol discovered that the implementation
        of the ORDER BY SQL statement in Zend_Db_Select contains
        a potential SQL injection when the query string passed
        contains parentheses.
    
      - CVE-2014-8088
        Yury Dyachenko at Positive Research Center identified
        potential XML eXternal Entity injection vectors due to
        insecure usage of PHP's DOM extension.
    
      - CVE-2014-8089
        Jonas Sandstrom discovered a SQL injection vector when
        manually quoting value for sqlsrv extension, using null
        byte.
    
      - CVE-2015-3154
        Filippo Tessarotto and Maks3w reported potential CRLF
        injection attacks in mail and HTTP headers."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2015-3154"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-2681"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2012-5657"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-2682"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2012-5657"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-2683"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2012-6532"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-2684"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-2685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-4914"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-8088"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-8089"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2015-3154"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/zendframework"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/zendframework"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3265"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the zendframework packages.
    
    For the oldstable distribution (wheezy), these problems have been
    fixed in version 1.11.13-1.1+deb7u1.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 1.12.9+dfsg-2+deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zendframework");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/05/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"zendframework", reference:"1.11.13-1.1+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"zendframework-bin", reference:"1.11.13-1.1+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"zendframework-resources", reference:"1.11.13-1.1+deb7u1")) flag++;
    if (deb_check(release:"8.0", prefix:"zendframework", reference:"1.12.9+dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"zendframework-bin", reference:"1.12.9+dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"zendframework-resources", reference:"1.12.9+dfsg-2+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-8714.NASL
    description**Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw
    last seen2020-06-05
    modified2015-06-02
    plugin id83934
    published2015-06-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83934
    titleFedora 20 : php-ZendFramework-1.12.13-1.fc20 (2015-8714)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-8714.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83934);
      script_version("2.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-3154");
      script_xref(name:"FEDORA", value:"2015-8714");
    
      script_name(english:"Fedora 20 : php-ZendFramework-1.12.13-1.fc20 (2015-8714)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "**Zend Framework 1.12.13**
    
      - 567: Cast int and float to string when creating headers
    
    **Zend Framework 1.12.12**
    
      - 493: PHPUnit not being installed
    
        - 511: Add PATCH to the list of allowed methods in
          Zend_Controller_Request_HttpTestCase
    
        - 513: Save time and space when cloning PHPUnit
    
        - 515: !IE conditional comments bug
    
        - 516: Zend_Locale does not honor parentLocale
          configuration
    
        - 518: Run travis build also on PHP 7 builds
    
        - 534: Failing unit test:
          Zend_Validate_EmailAddressTest::testIdnHostnameInEmail
          lAddress
    
        - 536: Zend_Measure_Number convert some decimal numbers
          to roman with space char
    
        - 537: Extend view renderer controller fix (#440)
    
        - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server
    
        - 541: Fixed errors in tests on PHP7
    
        - 542: Correctly reset the sub-path when processing
          routes
    
        - 545: Fixed path delimeters being stripped by chain
          routes affecting later routes
    
        - 546: TravisCI: Skip memcache(d) on PHP 5.2
    
        - 547: Session Validators throw 'general' Session
          Exception during Session start
    
        - 550: Notice 'Undefined index: browser_version'
    
        - 557: doc: Zend Framework Dependencies table unreadable
    
        - 559: Fixes a typo in Zend_Validate messages for SK
    
        - 561: Zend_Date not expected year
    
        - 564: Zend_Application tries to load
          ZendX_Application_Resource_FrontController during
          instantiation
    
    **Security**
    
      - **ZF2015-04**: Zend_Mail and Zend_Http were both
        susceptible to CRLF Injection Attack vectors (for HTTP,
        this is often referred to as HTTP Response Splitting).
        Both components were updated to perform header value
        validations to ensure no values contain characters not
        detailed in their corresponding specifications, and will
        raise exceptions on detection. Each also provides new
        facilities for both validating and filtering header
        values prior to injecting them into header classes. If
        you use either Zend_Mail or Zend_Http, we recommend
        upgrading immediately.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1215712"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159287.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1957dfce"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected php-ZendFramework package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC20", reference:"php-ZendFramework-1.12.13-1.fc20")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-8710.NASL
    description**Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw
    last seen2020-06-05
    modified2015-06-02
    plugin id83933
    published2015-06-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83933
    titleFedora 21 : php-ZendFramework-1.12.13-1.fc21 (2015-8710)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-8710.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83933);
      script_version("2.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-3154");
      script_xref(name:"FEDORA", value:"2015-8710");
    
      script_name(english:"Fedora 21 : php-ZendFramework-1.12.13-1.fc21 (2015-8710)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "**Zend Framework 1.12.13**
    
      - 567: Cast int and float to string when creating headers
    
    **Zend Framework 1.12.12**
    
      - 493: PHPUnit not being installed
    
        - 511: Add PATCH to the list of allowed methods in
          Zend_Controller_Request_HttpTestCase
    
        - 513: Save time and space when cloning PHPUnit
    
        - 515: !IE conditional comments bug
    
        - 516: Zend_Locale does not honor parentLocale
          configuration
    
        - 518: Run travis build also on PHP 7 builds
    
        - 534: Failing unit test:
          Zend_Validate_EmailAddressTest::testIdnHostnameInEmail
          lAddress
    
        - 536: Zend_Measure_Number convert some decimal numbers
          to roman with space char
    
        - 537: Extend view renderer controller fix (#440)
    
        - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server
    
        - 541: Fixed errors in tests on PHP7
    
        - 542: Correctly reset the sub-path when processing
          routes
    
        - 545: Fixed path delimeters being stripped by chain
          routes affecting later routes
    
        - 546: TravisCI: Skip memcache(d) on PHP 5.2
    
        - 547: Session Validators throw 'general' Session
          Exception during Session start
    
        - 550: Notice 'Undefined index: browser_version'
    
        - 557: doc: Zend Framework Dependencies table unreadable
    
        - 559: Fixes a typo in Zend_Validate messages for SK
    
        - 561: Zend_Date not expected year
    
        - 564: Zend_Application tries to load
          ZendX_Application_Resource_FrontController during
          instantiation
    
    **Security**
    
      - **ZF2015-04**: Zend_Mail and Zend_Http were both
        susceptible to CRLF Injection Attack vectors (for HTTP,
        this is often referred to as HTTP Response Splitting).
        Both components were updated to perform header value
        validations to ensure no values contain characters not
        detailed in their corresponding specifications, and will
        raise exceptions on detection. Each also provides new
        facilities for both validating and filtering header
        values prior to injecting them into header classes. If
        you use either Zend_Mail or Zend_Http, we recommend
        upgrading immediately.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1215712"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159292.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5b19dcbf"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected php-ZendFramework package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC21", reference:"php-ZendFramework-1.12.13-1.fc21")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-251.NASL
    descriptionThe previous zendframework upload incorrectly fixes CVE-2015-3154, causing a regression. This update corrects this problem. Thanks to &#x415;&#x432;&#x433;&#x435;&#x43D;&#x438;&#x439; &#x421;&#x43C;&#x43E;&#x43B;&#x438;&#x43D; (Evgeny Smolin) <esmolin@inbox.ru>. CVE-2012-6531 P&aacute;draic Brady identified a weakness to handle the SimpleXMLElement zendframework class, allowing to remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack. CVE-2012-6532 P&aacute;draic Brady found that remote attackers could cause a denial of service by CPU consumption, via recursive or circular references through an XML entity expansion (XEE) attack. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer
    last seen2020-03-17
    modified2015-06-22
    plugin id84297
    published2015-06-22
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84297
    titleDebian DLA-251-2 : zendframework regression update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-8704.NASL
    description**Zend Framework 1.12.13** - 567: Cast int and float to string when creating headers **Zend Framework 1.12.12** - 493: PHPUnit not being installed - 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase - 513: Save time and space when cloning PHPUnit - 515: !IE conditional comments bug - 516: Zend_Locale does not honor parentLocale configuration - 518: Run travis build also on PHP 7 builds - 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmail lAddress - 536: Zend_Measure_Number convert some decimal numbers to roman with space char - 537: Extend view renderer controller fix (#440) - 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server - 541: Fixed errors in tests on PHP7 - 542: Correctly reset the sub-path when processing routes - 545: Fixed path delimeters being stripped by chain routes affecting later routes - 546: TravisCI: Skip memcache(d) on PHP 5.2 - 547: Session Validators throw
    last seen2020-06-05
    modified2015-06-02
    plugin id83932
    published2015-06-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83932
    titleFedora 22 : php-ZendFramework-1.12.13-1.fc22 (2015-8704)