Mandriva Linux Security Advisory 2015-097 - XML eXternal Entity flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity attacks. Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework ,. The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses. Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind. The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the recommended double single quote as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
dbd355d47d2272372963e41921faec57d94a89afaed8462832c6a5dd1b7b545c-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:097
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : php-ZendFramework
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated php-ZendFramework packages fix multiple vulnerabilities:
XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were
discovered in the Zend Framework. An attacker could use these flaws
to cause a denial of service, access files accessible to the server
process, or possibly perform other more advanced XML External Entity
(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).
Using the Consumer component of Zend_OpenId, it is possible to
login using an arbitrary OpenID account (without knowing any secret
information) by using a malicious OpenID Provider. That means OpenID it
is possible to login using arbitrary OpenID Identity (MyOpenID, Google,
etc), which are not under the control of our own OpenID Provider. Thus,
we are able to impersonate any OpenID Identity against the framework
(CVE-2014-2684, CVE-2014-2685).
The implementation of the ORDER BY SQL statement in Zend_Db_Select
of Zend Framework 1 contains a potential SQL injection when the query
string passed contains parentheses (CVE-2014-4914).
Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap
class is used for logins, an attacker can login as any user by
using a null byte to bypass the empty password check and perform an
unauthenticated LDAP bind (CVE-2014-8088).
The sqlsrv PHP extension, which provides the ability to connect to
Microsoft SQL Server from PHP, does not provide a built-in quoting
mechanism for manually quoting values to pass via SQL queries;
developers are encouraged to use prepared statements. Zend Framework
provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses
the recommended double single quote ('') as quoting delimiters. SQL
Server treats null bytes in a query as a string terminator, allowing
an attacker to add arbitrary SQL following a null byte, and thus
create a SQL injection (CVE-2014-8089).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089
http://advisories.mageia.org/MGASA-2014-0151.html
http://advisories.mageia.org/MGASA-2014-0311.html
http://advisories.mageia.org/MGASA-2014-0434.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
02c3b9ebdbe452af6df77ddaf6ca70f4 mbs2/x86_64/php-ZendFramework-1.12.9-1.mbs2.noarch.rpm
7ee9abec95d67fac97b10885f2dfd177 mbs2/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mbs2.noarch.rpm
f2350b242c7b25969be3c4d3bfc46bd0 mbs2/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mbs2.noarch.rpm
c6635e6de414967f9f0b412a8b9ff952 mbs2/x86_64/php-ZendFramework-Captcha-1.12.9-1.mbs2.noarch.rpm
177c35ecd6b3fff97533e8420ba61ba0 mbs2/x86_64/php-ZendFramework-demos-1.12.9-1.mbs2.noarch.rpm
55d294c2c615919e2510e92f3ba75a97 mbs2/x86_64/php-ZendFramework-Dojo-1.12.9-1.mbs2.noarch.rpm
7746384bf97f55a83d2496704576efed mbs2/x86_64/php-ZendFramework-extras-1.12.9-1.mbs2.noarch.rpm
aac972c659c681b0334a98c5d2999134 mbs2/x86_64/php-ZendFramework-Feed-1.12.9-1.mbs2.noarch.rpm
f2675cbbeabf8da77e51e9bb155dad67 mbs2/x86_64/php-ZendFramework-Gdata-1.12.9-1.mbs2.noarch.rpm
cde54247acb864f63e957c55e3688c42 mbs2/x86_64/php-ZendFramework-Pdf-1.12.9-1.mbs2.noarch.rpm
525f594e3b2d939163d898debd94a77e mbs2/x86_64/php-ZendFramework-Search-Lucene-1.12.9-1.mbs2.noarch.rpm
f90cc7d553dc697b77c4ece07b53ce71 mbs2/x86_64/php-ZendFramework-Services-1.12.9-1.mbs2.noarch.rpm
22be7f86bf806cca47ab64edd9d2d2eb mbs2/x86_64/php-ZendFramework-tests-1.12.9-1.mbs2.noarch.rpm
2b72d33582d8ec662cebcad5ba58fce7 mbs2/SRPMS/php-ZendFramework-1.12.9-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFnlJmqjQ0CJFipgRAjaEAKDzxIBZeklYyKqSbiDpdO3pLGPxugCgkJ8t
PwkLG01bbegH7ISNqzJezXU=
=IXGe
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed