Monorepo of a fork of Zend Framework 1, with all components split into individual composer packages. PHP 5.3-8.3 compatible.
BSD 3-Clause "New" or "Revised" License
57
stars
22
forks
source link
Fix legacy IIS rewrite header vulnerability #197
Open
npo-mmenke opened 1 week ago
Removes the framework support for the legacy IIS headers HTTP_X_ORIGINAL_URL and HTTP_X_REWRITE_URL which can potentially be exploited.
Fix/removed in laminas here: https://github.com/laminas/laminas-http/blob/26dd6d1177e25d970058863c2afed12bb9dbff4d/src/PhpEnvironment/Request.php#L464
References: https://framework.zend.com/security/advisory/ZF2018-01 https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers https://portswigger.net/research/practical-web-cache-poisoning https://portswigger.net/kb/issues/00400f00_request-url-override