GHSA-mg7h-9qfx-4r83: ZendFramework Potential Proxy Injection Vulnerabilities
Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.
In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.
In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.
References
- framework.zend.com/security/advisory/ZF2012-04
- github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2012-04.yaml
- github.com/advisories/GHSA-mg7h-9qfx-4r83
- github.com/zendframework/zendframework
- github.com/zendframework/zendframework/commit/1040acaf70d297ec7214934d8ddc3e811d249b5c
- github.com/zendframework/zendframework/commit/ad8fdc3378710b7cfbe2a271dbb0e3256cffb599
- github.com/zendframework/zendframework/commit/ada1fab92f6d5c7ad96c5a63f3196d925e3f5887
- github.com/zendframework/zendframework/commit/b914ecdd4d17ab5b61f15ccdc02a6e9b255b15d8
- github.com/zendframework/zendframework/commit/c3819abbf2c9571069c893d27ae6170bda413925
- github.com/zendframework/zendframework/commit/cfaf5ea095c93f3e70343358a3a88c3924d7ed7d
Code Behaviors & Features
Detect and mitigate GHSA-mg7h-9qfx-4r83 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →