Monthly Archives: January 2013

Zend Framework 1.12.1 includes protection from cross-site request fogery

Recently, I upgraded from ZF 1.11.9 to 1.12.1, and I discovered that requests from a friendly MS IIS web server were not working. I am using ZF as an API backend and MS IIS as a friendly frontend. The problem was that ZF refused to honor the REDIRECT_URL and overrode REDIRECT_URL with HTTP_X_ORIGINAL_URL. The simple fix was to place the following code in the ZF bootstrap.

$_SERVER[‘HTTP_X_ORIGINAL_URL’] = $_SERVER[‘REDIRECT_URL’];

Red Hat reported a problem with XSS flaws (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4451), and the problem was fixed in ZF 2 and ZF 1. However, it created a problem for me.