ZF2018-01: URL rewrite vulnerability

ZF2018-01: URL Rewrite vulnerability

zend-diactoros (and, by
extension, Expressive),
zend-http (and, by extension,
Zend Framework MVC projects),
and zend-feed (specifically, its
PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In
each case, marshaling a request URI includes logic that introspects HTTP request
headers that are specific to a given server-side URL rewrite mechanism.

When these headers are present on systems not running the specific URL rewriting
mechanism, the logic would still trigger, allowing a malicious client or proxy
to emulate the headers to request arbitrary content.

Action Taken

In each of the affected components, we have removed support for the specific
request headers. Users can provide support within their applications to
re-instate the logic if they are using the specific URL rewrite mechanism; users
are encouraged to filter these headers in their web server prior to any rewrites
to ensure their validity.

The patch resolving the vulnerability is available in:

  • zend-diactoros, 1.8.4
  • zend-http, 2.8.1
  • zend-feed, 2.10.3

Zend Framework MVC, Apigility, and Expressive users will receive relevant
updated components via composer update.

We highly recommend all users of affected projects update immediately.


The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

Source: Zend security feed