Vigil@nce - Zend Framework: bypassing Session Validator
January 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass the Session Validator feature of Zend
Framework, in order to access to a protected service.
Impacted products: Zend Framework
Severity: 2/4
Creation date: 15/01/2015
DESCRIPTION OF THE VULNERABILITY
The Zend Framework product supports Session Validators which are
used to check the remote address (RemoteAddr) or the client type
(HttpUserAgent).
However, they are not correctly implemented, and are inefficient.
An attacker can therefore bypass the Session Validator feature of
Zend Framework, in order to access to a protected service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Zend-Framework-bypassing-Session-Validator-15976