Detections
Analytics
Zend Framework < 2.0.8 / 2.1.x < 2.1.4 Multiple Vulnerabilities
high Nessus Network Monitor Plugin ID 9146
Synopsis
The remote host is using a version of Zend Framework that is vulnerable to multiple attack vectors.Description
Versions of Zend Framework earlier than 2.0.8, or 2.1.x earlier than 2.1.4 are exposed to the following issues :- A flaw exists that may allow an attacker to carry out an SQL injection attack. The issue is due to 'Zend\Db\Adapter\Platform' not properly sanitizing user-supplied input to the 'quoteValue()' and 'quoteValueList()' methods. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw that is due to 'Zend\Validate\Csrf' using the cryptographically weak 'mt_rand' function as a way to generate predictable CSRF tokens. This may allow a remote attacker to conduct a seed recovery attack to more easily gain access to the application.
- A flaw exists in 'Zend\Mvc'. The issue is triggered during the parsing of query parameters, which may allow a remote attacker to change routing parameters already captured in RouteMatch.
Solution
Upgrade Zend Framework to version 2.1.4 or later. If version 2.1.x is not available, version 2.0.8 is also patched for these vulnerabilities.See Also
http://framework.zend.com/changelog/2.1.4
http://framework.zend.com/security/advisory/ZF2013-03