Zend Framework 1.7.5 has been released, and as always you can download the latest copy of Zend Framework for free from:

http://framework.zend.com/download/latest/

Besides the normal small enhancements and bug fixes that come with an incremental release such as this, there is also a rather important (and somewhat controversial) security fix that was added. This security fix breaks backwards compatibility with the previous version, because it simply must in order to exist. There is however a way to turn the security fix off to keep your current applications working in the case that this change breaks you.

On his blog, Matthew Weier O’Phinney, Software Architect for Zend Framework, writes about this vulnerability in detail:

A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contrived; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector.