Kris Wallsmith
A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of symfony's Doctrine integration.
We recommend all projects that use the Doctrine admin generator upgrade to these latest versions immediately.
The vulnerability
The admin generator in sfDoctrinePlugin was not properly filtering the GET request parameter that switches the sort order on record listing pages. By manipulating this parameter in the URL, it was possible to inject arbitrary SQL into the query that populates the list page. We have closed this hole by applying a simple whitelist filter which checks that this parameter is either "asc" or "desc," case-insensitive.
How to report a security issue
It behooves us all to review the process for reporting a security issue to the symfony core team. This process, described on the symfony wiki, is set aside from reporting other issues with the symfony code because security issues require special consideration. If you find a security vulnerability, please do not post to the symfony-users mailing list. Instead, send an email to security [at] symfony-project [dot] com describing the vulnerability and it will quickly be qualified and addressed. Once a fix is released, the vulnerability and fix will be announced on this blog.
How to upgrade
If you've checked out a copy of the a tag from Subversion, switch to the latest.
// symfony 1.2
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_2_12
// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_3
// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_3
If you are using the pear package then do this works for you.
// symfony 1.2
$ pear upgrade symfony/symfony-1.2.12
// symfony 1.3
$ pear upgrade symfony/symfony-1.3.3
// symfony 1.4
$ pear upgrade symfony/symfony-1.4.3
Once that's complete, clear your project's cache.
$ php symfony cache:clear
If you'd prefer to download the security fix as a patch, you may do so for the 1.2, 1.3 or 1.4 branches.
Please update http://www.symfony-project.org/installation/1_4 page, since it's still referring to 1.4.2 as latest release
Download 1.4.3 from http://www.symfony-project.org/get/symfony-1.4.3.zip
I've updated the post with more detail on the vulnerability itself and our fix.
I think you should put the name of the person discovering the security hole in the blog entry. As a curtesy to the reporter.
@GeG
You are right, but - roko didn't disclose real name. So? Who is roko?
Regards, M
I hijacked Kris post and added some Information for symfony 1.2 While 1.2.11 is not supported anymore, we of course fixed this issue also in 1.2.12