ID CVE-2014-8088
Summary The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
References
Vulnerable Configurations
  • Zend Framework 1.12.0
    cpe:2.3:a:zend:zend_framework:1.12.0
  • Zend Framework 1.12.0 Release Candidate 1
    cpe:2.3:a:zend:zend_framework:1.12.0:rc1
  • Zend Framework 1.12.0 Release Candidate 2
    cpe:2.3:a:zend:zend_framework:1.12.0:rc2
  • Zend Framework 1.12.0 Release Candidate 3
    cpe:2.3:a:zend:zend_framework:1.12.0:rc3
  • Zend Framework 1.12.0 Release Candidate 4
    cpe:2.3:a:zend:zend_framework:1.12.0:rc4
  • cpe:2.3:a:zend:zend_framework:1.12.1
    cpe:2.3:a:zend:zend_framework:1.12.1
  • cpe:2.3:a:zend:zend_framework:1.12.2
    cpe:2.3:a:zend:zend_framework:1.12.2
  • cpe:2.3:a:zend:zend_framework:1.12.3
    cpe:2.3:a:zend:zend_framework:1.12.3
  • cpe:2.3:a:zend:zend_framework:1.12.5
    cpe:2.3:a:zend:zend_framework:1.12.5
  • cpe:2.3:a:zend:zend_framework:1.12.7
    cpe:2.3:a:zend:zend_framework:1.12.7
  • Zend Framework 2.0.0
    cpe:2.3:a:zend:zend_framework:2.0.0
  • cpe:2.3:a:zend:zend_framework:2.01
    cpe:2.3:a:zend:zend_framework:2.01
  • cpe:2.3:a:zend:zend_framework:2.2.2
    cpe:2.3:a:zend:zend_framework:2.2.2
  • cpe:2.3:a:zend:zend_framework:2.2.3
    cpe:2.3:a:zend:zend_framework:2.2.3
  • cpe:2.3:a:zend:zend_framework:2.2.4
    cpe:2.3:a:zend:zend_framework:2.2.4
  • cpe:2.3:a:zend:zend_framework:2.2.5
    cpe:2.3:a:zend:zend_framework:2.2.5
  • cpe:2.3:a:zend:zend_framework:2.2.6
    cpe:2.3:a:zend:zend_framework:2.2.6
  • cpe:2.3:a:zend:zend_framework:2.2.7
    cpe:2.3:a:zend:zend_framework:2.2.7
  • cpe:2.3:a:zend:zend_framework:2.3.0
    cpe:2.3:a:zend:zend_framework:2.3.0
  • cpe:2.3:a:zend:zend_framework:2.3.1
    cpe:2.3:a:zend:zend_framework:2.3.1
  • cpe:2.3:a:zend:zend_framework:2.3.2
    cpe:2.3:a:zend:zend_framework:2.3.2
CVSS
Base: 5.0 (as of 23-10-2014 - 11:01)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3265.NASL
    description Multiple vulnerabilities were discovered in Zend Framework, a PHP framework. Except for CVE-2015-3154, all these issues were already fixed in the version initially shipped with Jessie. - CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. - CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. - CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. - CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. - CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. - CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. - CVE-2014-8089 Jonas Sandstrom discovered a SQL injection vector when manually quoting value for sqlsrv extension, using null byte. - CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 83748
    published 2015-05-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83748
    title Debian DSA-3265-1 : zendframework - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-460.NASL
    description The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. (CVE-2014-8088) The 1.12.9, 2.2.8, and 2.3.3 releases of the Zend Framework fix a SQL injection issue when using the sqlsrv PHP extension. Full details are available in the upstream advisory. (CVE-2014-8089)
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 79874
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79874
    title Amazon Linux AMI : php-ZendFramework (ALAS-2014-460)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12676.NASL
    description Security release - ZF2014-05, which mititages null byte poisoning of the password provided for LDAP authentication, thus prevening unauthorized LDAP binding. This corrects for unpatched versions of PHP (versions 5.5.11 and below, 5.4.27 and below, and any prior releases). - ZF2014-06, which mitigates null byte poisoning of quoted SQL values provided to the sqlsrv extension, thus preventing a potential SQL injection vector. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 78494
    published 2014-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78494
    title Fedora 21 : php-ZendFramework2-2.3.3-1.fc21 (2014-12676)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-216.NASL
    description A vulnerability has been found and corrected in php-ZendFramework : The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind (CVE-2014-8088). The updated packages have been upgraded to the latest ZendFramework (1.12.9) version which is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 79366
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79366
    title Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2014:216)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12418.NASL
    description Contains fixes for two security relevant bugs : - 'ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte' (http://framework.zend.com/security/advisory/ZF2014-05) - 'ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte' (http://framework.zend.com/security/advisory/ZF2014-06) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 78568
    published 2014-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78568
    title Fedora 20 : php-ZendFramework-1.12.9-1.fc20 (2014-12418)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-251.NASL
    description The previous zendframework upload incorrectly fixes CVE-2015-3154, causing a regression. This update corrects this problem. Thanks to Евгений Смолин (Evgeny Smolin) . CVE-2012-6531 Pádraic Brady identified a weakness to handle the SimpleXMLElement zendframework class, allowing to remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack. CVE-2012-6532 Pádraic Brady found that remote attackers could cause a denial of service by CPU consumption, via recursive or circular references through an XML entity expansion (XEE) attack. CVE-2014-2681 Lukas Reschke reported a lack of protection against XML External Entity injection attacks in some functions. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2682 Lukas Reschke reported a failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. This fix extends the incomplete one from CVE-2012-5657. CVE-2014-2683 Lukas Reschke reported a lack of protection against XML Entity Expansion attacks in some functions. This fix extends the incomplete one from CVE-2012-6532. CVE-2014-2684 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported an error in the consumer's verify method that lead to acceptance of wrongly sourced tokens. CVE-2014-2685 Christian Mainka and Vladislav Mladenov from the Ruhr-University Bochum reported a specification violation in which signing of a single parameter is incorrectly considered sufficient. CVE-2014-4914 Cassiano Dal Pizzol discovered that the implementation of the ORDER BY SQL statement in Zend_Db_Select contains a potential SQL injection when the query string passed contains parentheses. CVE-2014-8088 Yury Dyachenko at Positive Research Center identified potential XML eXternal Entity injection vectors due to insecure usage of PHP's DOM extension. CVE-2014-8089 Jonas Sandström discovered a SQL injection vector when manually quoting value for sqlsrv extension, using null byte. CVE-2015-3154 Filippo Tessarotto and Maks3w reported potential CRLF injection attacks in mail and HTTP headers. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 84297
    published 2015-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84297
    title Debian DLA-251-2 : zendframework regression update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-13302.NASL
    description Security release - ZF2014-05, which mititages null byte poisoning of the password provided for LDAP authentication, thus prevening unauthorized LDAP binding. This corrects for unpatched versions of PHP (versions 5.5.11 and below, 5.4.27 and below, and any prior releases). - ZF2014-06, which mitigates null byte poisoning of quoted SQL values provided to the sqlsrv extension, thus preventing a potential SQL injection vector. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 78713
    published 2014-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78713
    title Fedora 20 : php-ZendFramework2-2.3.3-2.fc20 (2014-13302)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12344.NASL
    description Contains fixes for two security relevant bugs : - 'ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte' (http://framework.zend.com/security/advisory/ZF2014-05) - 'ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte' (http://framework.zend.com/security/advisory/ZF2014-06) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 78567
    published 2014-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78567
    title Fedora 19 : php-ZendFramework-1.12.9-1.fc19 (2014-12344)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-14043.NASL
    description # Security Fixes - **ZF2014-05**: Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected version of PHP, we recommend upgrading immediately. - **ZF2014-06**: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79090
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79090
    title Fedora 19 : php-ZendFramework2-2.2.8-2.fc19 (2014-14043)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-097.NASL
    description Updated php-ZendFramework packages fix multiple vulnerabilities : XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683). Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework (CVE-2014-2684, CVE-2014-2685). The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses (CVE-2014-4914). Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind (CVE-2014-8088). The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the recommended double single quote ('') as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection (CVE-2014-8089).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82350
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82350
    title Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2015:097)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-12341.NASL
    description Contains fixes for two security relevant bugs : - 'ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte' (http://framework.zend.com/security/advisory/ZF2014-05) - 'ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte' (http://framework.zend.com/security/advisory/ZF2014-06) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 78786
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78786
    title Fedora 21 : php-ZendFramework-1.12.9-1.fc21 (2014-12341)
refmap via4
bid 70378
confirm http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
debian DSA-3265
fedora
  • FEDORA-2014-12344
  • FEDORA-2014-12418
mlist [oss-security] 20141010 Re: CVE request: Zend Framework ZF2014-05 and ZF2014-06
xf zend-framework-cve20148088-sec-bypass(97038)
Last major update 25-10-2016 - 22:00
Published 22-10-2014 - 10:55
Last modified 03-11-2017 - 21:29
Back to Top