This post has NOT been accepted by the mailing list yet.
Recently got a security assessment to complete the remedial actions for this one came up.
Medium Security Issue:
The web application made extensive use of a third-party web service using SOAP messages over HTTPS. During testing it was discovered that the application did not verify the SSL certificate of the web services it connected to. The application is implemented using the Zend Framework and makes us of the Zend Http Client API for making requests to web services. The default behaviour of this API in version 1 of the Zend Framework is to ignore any SSL certificate errors and continue to connect. An attacker in a position to perform a Man in the Middle attack or DNS spoofing attack on the application would be able to intercept the SOAP messages between the application and third party. Each SOAP message the application sends to the third party contains an API user id and password. If an attacker were able to recover these credentials they would be able to recover the user credentials for all registered users. Below are example SOAP requests intercepted from a locally running instance of the application.
Action for issue: The code should be changed to ensure that the application only connects to third-party web services if the SSL certificate is verified as being trusted.
Zend Framework version 2 introduced a number of extra configuration options to help with the verification of SSL certificates.
Can this be mitigated in ZendFramework 1 easily without an upgrade to ZendFramework 2?