Insufficient SSL verification ZendFramework1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Insufficient SSL verification ZendFramework1

colin.humphrey
This post has NOT been accepted by the mailing list yet.
Hi dudes,

Recently got a security assessment to complete the remedial actions for this one came up.

Medium Security Issue:
The web application made extensive use of a third-party web service using SOAP messages over HTTPS. During testing it was discovered that the application did not verify the SSL certificate of the web services it connected to.  The application is implemented using the Zend Framework and makes us of the Zend Http Client API for making requests to web services. The default behaviour of this API in version 1 of the Zend Framework is to ignore any SSL certificate errors and continue to connect.  An attacker in a position to perform a Man in the Middle attack or DNS spoofing attack on the application would be able to intercept the SOAP messages between the application and third party. Each SOAP message the application sends to the third party contains an API user id and password. If an attacker were able to recover these credentials they would be able to recover the user credentials for all registered users.  Below are example SOAP requests intercepted from a locally running instance of the application.

Action for issue:
The code should be changed to ensure that the application only connects to third-party web services if the SSL certificate is verified as being trusted.
Zend Framework version 2 introduced a number of extra configuration options to help with the verification of SSL certificates.

Can this be mitigated in ZendFramework 1 easily without an upgrade to ZendFramework 2?

See my thoughts below:
 Change the HTTP adapter from proxy to cURL which inherits from Socket.  This may be more robust.
     * This may carry its own risk as it would require a significant change in the code base rather than a configurational one.
     Link 1: http://framework.zend.com/manual/1.12/en/zend.http.client.adapters.html // Background reading on Zendframework adapters
     Link 2: http://framework.zend.com/manual/1.12/en/zend.http.client.adapters.html#zend.http.client.adapters.socket // Client framework socket adapter do any of these configs look like they may assist?
     Link 3: http://framework.zend.com/manual/1.12/en/zend.http.client.adapters.html#zend.http.client.adapters.curl // cURL adapter ships with cURL options, see link below.  Note the use of CURLOPT_FOLLOWLOCATION here
     Link 4: http://uk3.php.net/curl_setopt // cURL options on php.net.  Also note the use of CURLOPT_FOLLOWLOCATION on this link.   Could setting option CURLOPT_SSL_VERIFYPEER to true be acceptable?
     Link 5: http://framework.zend.com/manual/1.12/en/zend.http.client.adapters.html#zend.http.client.adapters.extending // Creating one's own adapter, maybe out of scope
     Link 6: http://uk3.php.net/curl_setopt#60142 This link seemed quite interesting

Regards,

Colin