PT-2012-59: XML External Entity Injection in Zend Framework
Version: 1.12.0; 1.1.13 and earlier
Severity level: Medium
Impact: XML External Entity Injection (XXE)
Access Vector: Remote
Base Score: 6.4
CVE: not assigned
Zend Framework is a object-oriented library of components used to develop web application on PHP.
The specialists of the Positive Research center have detected a XXE Injection vulnerability in Zend Framework.
XXE Injection is possible during import of RSS documents in Zend Framework. An attacker is able to read an arbitrary file on the target system.
How to fix
Update your software up to the latest version.
13.12.2012 - Vendor is notified
13.12.2012 - Vendor gets vulnerability details
17.12.2012 - Vendor releases fixed version and details
05.02.2013 - Public disclosure
The vulnerability has discovered by Yury Dyachenko, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: