Zend Framework local file disclosure via XXE injection
Description
The Zend Framework XmlRpc package contains an XML External Entity (XXE) injection vulnerability affecting both server and client implementations. The vulnerability stems from insecure usage of PHP's SimpleXMLElement class when parsing XML data, which allows attackers to inject malicious DOCTYPE declarations containing external entity references. This affects any application using the vulnerable XmlRpc component and can be exploited through specially crafted XML-RPC requests.
Remediation
Upgrade to a patched version of Zend Framework immediately. For Zend Framework 1.x, upgrade to version 1.11.12 or later. For Zend Framework 2.x, upgrade to version 2.0.0 or later. If immediate upgrade is not possible, implement the following mitigations:
1. Disable external entity loading before parsing XML data:
libxml_disable_entity_loader(true);
2. Configure the XML parser to reject DOCTYPE declarations:
$dom = new DOMDocument(); $dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_DTDATTR);
3. Validate and sanitize all XML input from untrusted sources before processing.
4. Review application logs for suspicious XML-RPC requests containing DOCTYPE declarations.