Описание
Symfony Allows URI Restrictions Bypass Via Double-Encoded String
On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.
Both the Routing component and the Security component uses the path returned by getPathInfo() to match a Request. The getPathInfo() returns a decoded path, but the Routing component (Symfony\Component\Routing\Matcher\UrlMatcher) decodes the path a second time; whereas the Security component, Symfony\Component\HttpFoundation\RequestMatcher, does not.
This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2012-6431
- https://github.com/symfony/symfony/commit/55014a6841bec50046e8329a4835c160ac31a496
- https://github.com/symfony/symfony/commit/8b2c17f80377582287a78e0b521497e039dd6b0d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2012-6431.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6431.yaml
- https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
- http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released
Пакеты
symfony/http-foundation
>= 2.0.0, < 2.0.19
2.0.19
symfony/routing
>= 2.0.0, < 2.0.19
2.0.19
symfony/security
>= 2.0.0, < 2.0.19
2.0.19
symfony/symfony
>= 2.0.0, < 2.0.19
2.0.19
Связанные уязвимости
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.