Zend Server 5.6.0 multiple remote script insertion defect and repair-vulnerability warning-the black bar safety net

2012-03-13T00:00:00
ID MYHACK58:62201233331
Type myhack58
Reporter 佚名
Modified 2012-03-13T00:00:00

Description

<!--

Title: Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

Author: Zend Technologies Ltd.

Product home page: http://www.zend.com

Affected version: Zend Server 5.6.0

*Zend Optimizer+ 4.1

*Zend Code Tracing 1.0

*Zend Data Cache 4.0

*Zend Job Queue 4.0

*Zend Debugger 5.3

*Zend Java Bridge 3.1

Summary:

Zend Server is a complete, enterprise-ready Web Application Server for running

and managing PHP applications.

Description:

Zend Server and its components suffers from a cross-site scripting vulnerability.

The persistent (stored) XSS the issues are triggered when input passed via several parameters

to several scripts is not properly sanitized before being returned to the user. This can

be exploited to execute arbitrary HTML and script code in a user's browser session in

context of an affected site. List of parameters and modules that are affected:

---------------------------------------------------------------------------------

  • Parameter * * Module/Component *

---------------------------------------------------------------------------------

1. directives[zend_optimizerplus. blacklist_filename] -- Zend:Optimizer+

2. traceUrl -- Zend:Code Tracing

3. host -- Zend:Data Cache

4. name -- Zend:Data Cache

5. path -- Zend:Data Cache

6. ruleName -- Zend:Job Queue

7. directives[zend_jbridge. encoding] -- Zend:Java Bridge

8. directives[zend_debugger. allow_hosts] -- Zend:Debugger

9. directives[zend_debugger. deny_hosts] -- Zend:Debugger

1 0. directives[zend_codetracing. log_file] -- Zend:Code Tracing

---------------------------------------------------------------------------------

Test platform: Microsoft Windows XP Professional SP3 (EN)

Apache 2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/0.9.8 o

PHP 5.3.9-ZS5. 6. 0

Defect discovery Gjoko 'LiquidWorm' Krstic www.2cto.com

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php

The Zend announcement: http://www.zend.com/topics/ZS-560-SP1-ReleaseNotes-20120308.txt

http://www.zend.com/en/products/server/updates

22.02.2012

-->

<html>

<title>Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities</title>

<link rel="Shortcut Icon" href="http://zeroscience.mk/favicon.ico" type="image/x-icon">

<body bgcolor="#1C1C1C"><br />

<img style="margin-left:1 0" src=http://www. 2cto. com/uploadfile/2 0 1 2/0 3 1 3/2 0 1 2 0 3 1 3 1 1 1 9 2 1 6 9 4. png" hight="2 0%" width="2 0%">

<script type="text/javascript">

var disclaimer = "This document and all the information it contains are provided \"as is\",\n" +

"for educational purposes only, without warranty of any kind, whether\n" +

[1] [2] [3] [4] [5] next