[Bug 933200] New: symphony: ESI unauthorized access - restriction bypass
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=933200 Bug ID: 933200 Summary: symphony: ESI unauthorized access - restriction bypass Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: crrodriguez@opensuse.org Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com Found By: Security Response Team Blocker: --- Coutesy bug for server:php:applications symfony http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access patch https://github.com/symfony/symfony/pull/14759 ffected Versions¶ 2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions of the Symfony HttpKernel component are affected by this security issue. This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore. Symfony 2.7 hasn't been released yet and the fix will be included in the first stable release. Description¶ Applications with ESI or SSI support enabled, that use the FragmentListener, are vulnerable to unauthorized access. A malicious user can call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it), bypassing URL signing and security rules. FragmentListener throws an AccessDeniedHttpException in case URL is not signed correctly. However, the ExceptionListener triggers kernel events again by making a sub-request. Since the FragmentListener does no signing for sub-requests, the controller is called even though the original request was forbidden. As a result the user receives a 403 response with content generated by the controller. Resolution¶ The fix implements a check in the FragmentListener so it is not called in case a _controller attribute was previously set. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4050 http://www.debian.org/security/2015/dsa-3276 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4050.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4050 Also... https://github.com/symfony/symfony/commit/78cf382aa26fcdab09d900fd84c31b9e5c... -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com