Zend\Session\Validator\RemoteAddr
and Zend\View\Helper\ServerUrl
were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.
In Zend\Session\Validator\RemoteAddr
, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.
In Zend\View\Helper\ServerUrl
, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.
framework.zend.com/security/advisory/ZF2012-04
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2012-04.yaml
github.com/zendframework/zendframework
github.com/zendframework/zendframework/commit/1040acaf70d297ec7214934d8ddc3e811d249b5c
github.com/zendframework/zendframework/commit/ad8fdc3378710b7cfbe2a271dbb0e3256cffb599
github.com/zendframework/zendframework/commit/ada1fab92f6d5c7ad96c5a63f3196d925e3f5887
github.com/zendframework/zendframework/commit/b914ecdd4d17ab5b61f15ccdc02a6e9b255b15d8
github.com/zendframework/zendframework/commit/c3819abbf2c9571069c893d27ae6170bda413925
github.com/zendframework/zendframework/commit/cfaf5ea095c93f3e70343358a3a88c3924d7ed7d