GHSA-JQ87-2WXP-8349
Vulnerability from github – Published: 2024-06-07 20:15 – Updated: 2024-06-07 20:15
VLAI
Summary
ZendFramework Route Parameter Injection Via Query String in `Zend\Mvc`
Details
In Zend Framework 2, Zend\Mvc\Router\Http\Query is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.
As an example, consider the following route definition:
array(
'user' => array(
'type' => 'segment',
'options' => array(
'route' => '/user/:key',
'defaults' => array(
'controller' => 'UserController',
'action' => 'show-action',
),
'constraints' => array(
'key' => '[a-z0-9]+',
),
),
'child_routes' => array(
'query' => array('type' => 'query'),
),
),
)
If the request URI was /user/foo/?controller=SecretController&key=invalid_value, the RouteMatch returned after routing would contain the following:
array(
'controller' => 'SecretController',
'action' => 'show-action',
'key' => 'invalid_value',
)
This would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T20:15:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In Zend Framework 2, `Zend\\Mvc\\Router\\Http\\Query` is used primarily to allow appending query strings to URLs when assembled. However, due to the fact that it captures any query parameters into the RouteMatch, and the fact that RouteMatch parameters are merged with any parent routes, this can lead to overriding already captured routing parameters, bypassing constraints defined in the parents.\n\nAs an example, consider the following route definition:\n```\narray(\n \u0027user\u0027 =\u003e array(\n \u0027type\u0027 =\u003e \u0027segment\u0027,\n \u0027options\u0027 =\u003e array(\n \u0027route\u0027 =\u003e \u0027/user/:key\u0027,\n \u0027defaults\u0027 =\u003e array(\n \u0027controller\u0027 =\u003e \u0027UserController\u0027,\n \u0027action\u0027 =\u003e \u0027show-action\u0027,\n ),\n \u0027constraints\u0027 =\u003e array(\n \u0027key\u0027 =\u003e \u0027[a-z0-9]+\u0027,\n ),\n ),\n \u0027child_routes\u0027 =\u003e array(\n \u0027query\u0027 =\u003e array(\u0027type\u0027 =\u003e \u0027query\u0027),\n ),\n ),\n)\n```\nIf the request URI was /user/foo/?controller=SecretController\u0026key=invalid_value, the RouteMatch returned after routing would contain the following:\n```\narray(\n \u0027controller\u0027 =\u003e \u0027SecretController\u0027,\n \u0027action\u0027 =\u003e \u0027show-action\u0027,\n \u0027key\u0027 =\u003e \u0027invalid_value\u0027,\n)\n```\nThis would lead to execution of a different controller than intended, with a value for the key parameter that bypassed the constraints outlined in the parent route.",
"id": "GHSA-jq87-2wxp-8349",
"modified": "2024-06-07T20:15:48Z",
"published": "2024-06-07T20:15:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/0a7ec3407f02db29ea2ffd6daa71ead6fd151cfe"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/7fcb88ebc2d56f74aa943909f2b6b53f5c86b081"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2013-01"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2013-01.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zendframework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZendFramework Route Parameter Injection Via Query String in `Zend\\Mvc`"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…