Vulnerability statistics provide a quick overview for security vulnerabilities of Zend Zend Framework 1. Log In Register. What's the CVSS score of your company? Zend » Zend Framework » 1. Selected vulnerability types are OR'ed. If you don't select any criteria "all" CVE entries will be returned.
How does it work? Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. Feeds or widget will contain only vulnerabilities of this version Selected vulnerability types are OR'ed. If you don't select any criteria "all" CVE entries will be returned Vulnerabilities with exploits. Code execution. These leaks arise from the normal process of comparing any two strings in PHP.
The nature of the leaks is that strings are often compared byte by byte, with a negative result being returned early as soon as any set of non-matching bytes is detected. The more bytes that are equal starting from the first byte between both sides of the comparison, the longer it takes for a final result to be returned. Based on the time it takes to return a negative or positive result, it is possible that an attacker could, over many samples of requests, craft a string that compares positively to another secret string value known only to a target server simply by guessing the string one byte at a time and measuring each guess' execution time.
This server secret could be a plaintext password or the correct cryptographic signature of a request the attacker wants to execute, such as is used in several open protocols including OpenID and OAuth. This could obviously enable an attacker to gain sufficient information to perform a secondary attack such as masquerading as an authenticated user. This form of attack is known as a Remote Timing Attack. Timing Attacks have been problematic in the past but to date have been very difficult to perform remotely over the internet due to the interference of network jitter which limits their effectiveness in resolving very small timing differences.
While the internet still poses a challenge to performing successful Timing Attacks against a remote server, the increasing use of frameworks on local networks and in cloud computing, where network jitter may be significantly reduced, raises the distinct possibility that remote Timing Attacks will become feasible against ever smaller timing information leaks, such as those leaked when comparing any two strings.
As a precaution, the applied changes implement a fixed time comparison for several classes which would be attractive targets in any potential remote Timing Attack. A fixed time comparison function does not leak any timing information useful to an attacker thus proactively preventing any future vulnerability to these forms of attack. We thank Padraic Brady for his efforts in identifying and patching these vulnerabilities.
This API allows developers to query eBay for details on active auctions, using categories or keywords. Both adapters have support for PHP constants, as well as provide the ability to write configuration files based on configuration objects. The component provides a simple interface for use with most URL shortening services, defining simply the methods "shorten" and "unshorten".
It gives you access to the UserAgent instance, allowing you to query for the device and capabilities. The helper ties into the TinySrc API, allowing you to a provide device-specific image sizes and formats for your site, and b offload generation of those images to this third-party service.
The helper creates img tags pointing to the service, and provides options for specifying adaptive sizing and formats. This helper was contributed by Marcin Morawski. About zend View license.
0コメント