Linux Security
    Linux Security
    Linux Security

    RCE ‘Bug’ Found and Disputed in Popular PHP Scripting Framework

    Date 06 Jan 2021
    568
    Posted By Brittany Day
    Cloud Web App

    A high-risk RCE bug impacting PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases has been discovered and disputed by Zend. Regardless of the dispute, Zend has issued a patch addressing this vulnerability which "provides type checking of the $streamName property before performing a cleanup operation (which results in an unlink() operation, which, previously, could have resulted in an implied call to an an object’s __toString() method) in the Laminas\Http\Response\Stream destructor".

     

    Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack.

    However, those that maintain Zend Framework emphasize that the conditions under which a web app can be abused first require the application author to write code that is “inherently insecure.” For that reason, the current maintainers of Zend Framework are contesting whether or not the vulnerability classification is correct.

    “We are contesting the vulnerability, and consider our patch a security tightening patch, and not a vulnerability patch,” said Matthew Weier O’Phinney, Zend product owner and principal engineer in an email-based interview with Threatpost.

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.