Actu
Vigil@nce - Zend framework: Cross Site Scripting of diactoros
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can handle links built with diactoros of Zend
framework, in order to change the target of HTML links and perhaps
execute JavaScript code in the context of the web site.
Impacted products: Zend Framework.
Severity: 2/4.
Creation date: 24/06/2015.
DESCRIPTION OF THE VULNERABILITY
The module Diactoros\Uri of Zend framework is used to build URIs.
The scheme or protocol and the authority or server name are
optional, in order to be able to build relative URLs. However, in
this case, if the user provides a path that begins with "//", the
built URI will be wrongly considered as absolute and the user will
be able to create arbitrary links and maybe inject scripts.
An attacker can therefore handle links built with diactoros of
Zend framework, in order to change the target of HTML links and
perhaps execute JavaScript code in the context of the web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Zend-framework-Cross-Site-Scripting-of-diactoros-17222
