Flaw In Symfony Allows Unauthorized Access To Web Apps

London based PHP Developer Jakub Zalas has found a critical flaw in Symfony PHP web framework that could have allowed attackers to gain unauthorized access to the web apps with support for SSI (Server-Side Includes) and ESI (Edge Side Includes) enabled.

ABOUT SYMFONY

Symfony is a PHP web application framework aims to speed up the creation and maintenance of web applications by replacing repetitive coding tasks.

Affected Versions: The list of vulnerable versions is extensive and includes 2.3.19 – 2.3.28, 2.4.9 – 2.4.10, 2.5.4 – 2.5.11, and 2.6.0 through 2.6.7.

The vulnerability can be exploited by an attacker to bypass URL signing and security rules, Fabien Potencier  said in a  security advisory.

“A malicious user can call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it), bypassing URL signing and security rules.”

FragmentListener throws an AccessDeniedHttpException in case URL is not signed correctly. However, the ExceptionListener class triggers kernel events again by making a sub-request. Since the FragmentListener does no signing for sub-requests, the controller is called even though the original request was forbidden. As a result the user receives a 403 response with content generated by the controller.

Symfony developers have released a fix for version 2.3.29, 2.5.12, and 2.6.8. Since the Symfony 2.4 is no longer maintained by the developers, there is no patch provided for version 2.4.