FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Zend Framework -- Local File Inclusion vulnerability in Zend_View::render()

Affected packages
ZendFramework < 1.7.5


VuXML ID cf495fd4-fdcd-11dd-9a86-0050568452ac
Discovery 2009-02-11
Entry 2009-02-18

Matthew Weier O'Phinney reports:

A potential Local File Inclusion (LFI) vulnerability exists in the Zend_View::render() method. If user input is used to specify the script path, then it is possible to trigger the LFI.

Note that Zend Framework applications that never call the Zend_View::render() method with a user-supplied parameter are not affected by this vulnerability.