Archives


Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).
trainings.sensiolabs.com

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony
sensiolabs.com

gravatar
Security Release: 1.2.12, 1.3.3 and 1.4.3
by Kris Wallsmith – February 25, 2010 – 6 comments

A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of symfony's Doctrine integration.

We recommend all projects that use the Doctrine admin generator upgrade to these latest versions immediately.

The vulnerability

The admin generator in sfDoctrinePlugin was not properly filtering the GET request parameter that switches the sort order on record listing pages. By manipulating this parameter in the URL, it was possible to inject arbitrary SQL into the query that populates the list page. We have closed this hole by applying a simple whitelist filter which checks that this parameter is either "asc" or "desc," case-insensitive.

How to report a security issue

It behooves us all to review the process for reporting a security issue to the symfony core team. This process, described on the symfony wiki, is set aside from reporting other issues with the symfony code because security issues require special consideration. If you find a security vulnerability, please do not post to the symfony-users mailing list. Instead, send an email to security [at] symfony-project [dot] com describing the vulnerability and it will quickly be qualified and addressed. Once a fix is released, the vulnerability and fix will be announced on this blog.

How to upgrade

If you've checked out a copy of the a tag from Subversion, switch to the latest.

// symfony 1.2
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_2_12

// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_3

// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_3

If you are using the pear package then do this works for you.

// symfony 1.2
$ pear upgrade symfony/symfony-1.2.12

// symfony 1.3
$ pear upgrade symfony/symfony-1.3.3

// symfony 1.4
$ pear upgrade symfony/symfony-1.4.3

Once that's complete, clear your project's cache.

$ php symfony cache:clear

If you'd prefer to download the security fix as a patch, you may do so for the 1.2, 1.3 or 1.4 branches.

Comments RSS

  • gravatar
    #1 Massimiliano Arione said on the 2010/02/25 at 08:55
    Please update http://www.symfony-project.org/installation/1_4 page, since it's still referring to 1.4.2 as latest release
  • gravatar
    #2 tety said on the 2010/02/25 at 09:35
    Download 1.4.3 from http://www.symfony-project.org/get/symfony-1.4.3.zip
  • gravatar
    #3 Kris said on the 2010/02/25 at 10:02
    I've updated the post with more detail on the vulnerability itself and our fix.
  • gravatar
    #4 GeG said on the 2010/02/25 at 14:33
    I think you should put the name of the person discovering the security hole in the blog entry.
    As a curtesy to the reporter.
  • gravatar
    #5 M said on the 2010/02/25 at 16:37
    @GeG

    You are right, but - roko didn't disclose real name. So? Who is roko?

    Regards,
    M
  • gravatar
    #6 Fabian Lange said on the 2010/02/25 at 17:17
    I hijacked Kris post and added some Information for symfony 1.2
    While 1.2.11 is not supported anymore, we of course fixed this issue also in 1.2.12