Zend\Session\Validator\RemoteAddr and Zend\View\Helper\ServerUrl were found to be improperly parsing HTTP headers for proxy information, which could potentially allow an attacker to spoof a proxied IP or host name.

In Zend\Session\Validator\RemoteAddr, if the client is behind a proxy server, the detection of the proxy URL was incorrect, and could lead to invalid results on subsequent lookups.

In Zend\View\Helper\ServerUrl, if the server lives behind a proxy, the helper would always generate a URL based on the proxy host, regardless of whether or not this was desired; additionally, it did not take into account the proxy port or protocol, if provided.

References

• zendframework/zendframework@1040aca
• zendframework/zendframework@ad8fdc3
• zendframework/zendframework@ada1fab
• zendframework/zendframework@b914ecd
• zendframework/zendframework@c3819ab
• zendframework/zendframework@cfaf5ea
• https://framework.zend.com/security/advisory/ZF2012-04
• https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2012-04.yaml