Security Advisory

ZF2010-07: Potential Security Issues in Bundled Dojo Library

Executive Summary

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:

In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Action Taken

Since the files in question have been patched on the Dojo release branches, the only action needed was a new release that contains a new build of Dojo based on the current release branch. In addition, code was added to the Zend Framework Dojo build script to strip out all PHP files as an extra precaution.


This particular vulnerability only affects those users who:

If you fall into one of these categories, we strongly recommend upgrading to the latest available Zend Framework release, or one of the following releases, immediately, and redeploying Dojo from the Dojo packages supplied with Zend Framework:

Alternately, upgrade from official Dojo packages, following the guidelines in the aforementioned advisory from the Dojo Foundation.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.


Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

Released Thu, 01 Apr 2010 18:00:00 -0500.

back to advisories