Zend framework security fix may break applications
The Zend developers have released version 1.7.5 of the open source PHP framework. While the release has various minor enhancements and bug fixes, there is an important, and possibly controversial, security bug fix. The fix, to close a hole where local files could be included in rendered output, is to prevent "../" and "..\" from being allowed when passed to the render() method. This is to prevent directory traversal attacks, which could allow an attacker to retrieve
/etc/passwd or some other system file. When the strings are detected being passed, an exception will be thrown.
The controversy comes from the fact that a number of applications actually use the directory traversal mechanism, but without the risk of user input. The Zend developers have therefore added a way of disabling the LFI protection. A blog posting from Matthew Weier O'Phinney, a Zend developer, explains the problem and how to toggle the protection. The Zend documentation has been updated to reflect the changes.