search

MyOnlineStore / ViesBundle

Symfony bundle for DragonBe/vies
MIT License
2 stars 4 forks source link

Security issues #9

Closed 4c0n closed 5 years ago

4c0n commented 5 years ago

Hi,

This bundle depends on dragonbe/vies version ^1.0. That version has a dependency on an old Zend framework version, that has security issues:

Script security-checker security:check returned with error code 1
Symfony Security Check Report
=============================

1 packages have known vulnerabilities.

zendframework/zendframework1 (1.12.7)
-------------------------------------

 * [CVE-2014-8088][]: Anonymous authentication in ldap_bind() function of PHP, using null byte
 * [CVE-2014-8089][]: SQL injection vector when manually quoting values for sqlsrv extension, using null byte
 * [CVE-2015-3154][]: Potential CRLF injection attacks in mail and HTTP headers
 * [CVE-2015-5161][]: XXE/XEE vector when using ZendXml on multibyte payloads
 * [CVE-2015-5723][]: Filesystem Permissions Issues in Multiple Components
 * [CVE-2016-6233][]: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select
 * [CVE-NONE-0001][]: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)
 * [CVE-NONE-0002][]: Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word
 * [CVE-NONE-0003][]: Potential Insufficient Entropy Vulnerability in ZF1
 * [CVE-NONE-0004][]: Potential SQL injection in ORDER and GROUP functions of ZF1

[CVE-2014-8088]: https://framework.zend.com/security/advisory/ZF2014-05              
[CVE-2014-8089]: https://framework.zend.com/security/advisory/ZF2014-06                          
[CVE-2015-3154]: https://framework.zend.com/security/advisory/ZF2015-04
[CVE-2015-5161]: https://framework.zend.com/security/advisory/ZF2015-06 
[CVE-2015-5723]: https://framework.zend.com/security/advisory/ZF2015-07                                   
[CVE-2016-6233]: https://framework.zend.com/security/advisory/ZF2016-02                                                                      
[CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2015-08                                                                                                                 
[CVE-NONE-0002]: https://framework.zend.com/security/advisory/ZF2015-09                                  
[CVE-NONE-0003]: https://framework.zend.com/security/advisory/ZF2016-01                                                                                       
[CVE-NONE-0004]: https://framework.zend.com/security/advisory/ZF2016-03 

Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Package zendframework/zendframework1 is abandoned, you should avoid using it. Use zendframework/zendframework instead.

One way to potentially fix the problem seems to be to blacklist version 1.0.1 of the dragonbe/vies package (the dependency on zendframework/zendframework1 appears to have been removed in version 1.0.2).

Also there is a version 2.x available of the dragonbe/vies package. Do you have any plans on releasing a new version of this bundle that uses the new version of the client?

Thanks in advance for your time and effort.

digibeuk commented 5 years ago

Thank you for your contribution! I have merged your PR and made a new release.

We are not planning a new version based on 2.X just yet, this is mainly because we us an old version of PHP so I cannot test it on a system. When we upgrade I will look into it again!