Critical severity9.1NVD Advisory· Published Feb 13, 2013· Updated Apr 29, 2026
CVE-2012-3363
CVE-2012-3363
Description
Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zendframework/zendframework1Packagist | >= 1.0.0, < 1.11.12 | 1.11.12 |
zendframework/zendframework1Packagist | >= 1.12.0-rc1, < 1.12.0 | 1.12.0 |
Affected products
8cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*range: >=1.0.0,<1.11.12
- cpe:2.3:a:zend:zend_framework:1.12.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:1.12.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:1.12.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:1.12.0:rc4:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Patches
1281a3251d71e[ZF-12293] Ensure XML-RPC response does not load entities
4 files changed · +32 −5
library/Zend/XmlRpc/Request.php+1 −4 modified@@ -307,6 +307,7 @@ public function loadXml($request) $loadEntities = libxml_disable_entity_loader(true); try { $xml = new SimpleXMLElement($request); + libxml_disable_entity_loader($loadEntities); } catch (Exception $e) { // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(631); @@ -320,7 +321,6 @@ public function loadXml($request) // Missing method name $this->_fault = new Zend_XmlRpc_Fault(632); $this->_fault->setEncoding($this->getEncoding()); - libxml_disable_entity_loader($loadEntities); return false; } @@ -334,7 +334,6 @@ public function loadXml($request) if (!isset($param->value)) { $this->_fault = new Zend_XmlRpc_Fault(633); $this->_fault->setEncoding($this->getEncoding()); - libxml_disable_entity_loader($loadEntities); return false; } @@ -345,7 +344,6 @@ public function loadXml($request) } catch (Exception $e) { $this->_fault = new Zend_XmlRpc_Fault(636); $this->_fault->setEncoding($this->getEncoding()); - libxml_disable_entity_loader($loadEntities); return false; } } @@ -354,7 +352,6 @@ public function loadXml($request) $this->_params = $argv; } - libxml_disable_entity_loader($loadEntities); $this->_xml = $request; return true;
library/Zend/XmlRpc/Response.php+6 −1 modified@@ -176,11 +176,15 @@ public function loadXml($response) return false; } + // @see ZF-12293 - disable external entities for security purposes + $loadEntities = libxml_disable_entity_loader(true); + $useInternalXmlErrors = libxml_use_internal_errors(true); try { - $useInternalXmlErrors = libxml_use_internal_errors(true); $xml = new SimpleXMLElement($response); + libxml_disable_entity_loader($loadEntities); libxml_use_internal_errors($useInternalXmlErrors); } catch (Exception $e) { + libxml_disable_entity_loader($loadEntities); libxml_use_internal_errors($useInternalXmlErrors); // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(651); @@ -205,6 +209,7 @@ public function loadXml($response) try { if (!isset($xml->params) || !isset($xml->params->param) || !isset($xml->params->param->value)) { + require_once 'Zend/XmlRpc/Value/Exception.php'; throw new Zend_XmlRpc_Value_Exception('Missing XML-RPC value in XML'); } $valueXml = $xml->params->param->value->asXML();
tests/Zend/XmlRpc/_files/ZF12293-response.xml+10 −0 added@@ -0,0 +1,10 @@ +<?xml version="1.0"?> +<!DOCTYPE foo [ +<!ELEMENT methodResponse ANY > +<!ENTITY xxe SYSTEM "%s" > +]> +<methodResponse> + <params> + <param><value><string>&xxe;</string></value></param> + </params> +</methodResponse>
tests/Zend/XmlRpc/ResponseTest.php+15 −0 modified@@ -252,4 +252,19 @@ public function trackError($error) { $this->_errorOccured = true; } + + /** + * @group ZF-12293 + */ + public function testDoesNotAllowExternalEntities() + { + $payload = file_get_contents(dirname(__FILE__) . '/_files/ZF12293-response.xml'); + $payload = sprintf($payload, 'file://' . realpath(dirname(__FILE__) . '/_files/ZF12293-payload.txt')); + $this->_response->loadXml($payload); + $value = $this->_response->getReturnValue(); + $this->assertTrue(empty($value)); + if (is_string($value)) { + $this->assertNotContains('Local file inclusion', $value); + } + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- framework.zend.com/security/advisory/ZF2012-01nvdVendor AdvisoryWEB
- www.securitytracker.com/idnvdBroken LinkThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-7pg4-5233-82jvghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2012-3363ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.htmlnvdMailing ListWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.htmlnvdMailing ListWEB
- openwall.com/lists/oss-security/2013/03/25/2nvdMailing ListWEB
- www.debian.org/security/2012/dsa-2505nvdMailing ListWEB
- www.openwall.com/lists/oss-security/2012/06/26/2nvdMailing ListWEB
- www.openwall.com/lists/oss-security/2012/06/26/4nvdMailing ListWEB
- www.openwall.com/lists/oss-security/2012/06/27/2nvdMailing ListWEB
- github.com/zendframework/zf1/commit/281a3251d71ed40a5289ec4afc355eea8e014dc5ghsaWEB
- web.archive.org/web/20170223044943/http://www.securitytracker.com/idghsaWEB
- www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txtnvdBroken LinkWEB
News mentions
0No linked articles in our index yet.