Morioh
Login
Hunter Krajcik

Hunter Krajcik

3 years ago

Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases.

Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack.

However, those that maintain Zend Framework emphasize that the conditions under which a web app can be abused first require the application author to write code that is “inherently insecure.” For that reason, the current maintainers of Zend Framework are contesting whether or not the vulnerability classification is correct.

“We are contesting the vulnerability, and consider our patch a security tightening patch, and not a vulnerability patch,” said Matthew Weier O’Phinney, Zend product owner and principal engineer in an email-based interview with Threatpost.

**Impacted Versions of Zend Framework  **

Impacted is Zend Framework version 3.0.0 and Laminas Project laminas-http before 2.14.2, with an estimated “several million websites” using the framework and possibly impacted. The new maintainers of Zend Framework, Laminas Project, fall within the Linux Foundation’s open-source collaborative ecosystem.

The bug was publicly disclosed Monday by cybersecurity researcher Ling Yizhou, who also published two proof-of-concept attack scenarios. The bug, tracked as  CVE-2021-3007, does not have a severity rating listed with MITRE. However it is rated “ high risk” by others within the cybersecurity community.

End of life for Zend Framework was Dec. 31, 2019, after which it was folded into the Laminas Project. According to the maintainers, Zend Framework and Laminas Project are equivalent.

“The project is a collection of individual components, each versioned separately. As such, ‘3.0’ refers to a handful of core components that were tagged with version 3 releases, many of which have evolved significantly from then,” O’Phinney told Threatpost.

#vulnerabilities #web security #bug #github #laminas project #php #rce

RCE 'Bug' Found and Disputed in Popular PHP Scripting Framework

threatpost.com

RCE 'Bug' Found and Disputed in Popular PHP Scripting Framework

RCE 'Bug' Found and Disputed in Popular PHP Scripting Framework. Versions of the popular developer tool Zend Framework. Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework. RCE bug impacting PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework.

1.10 GEEK