Yesterday, Tristan Bessoussa brought our attention to a possible security vulnerability. We would like to thank him for responsibly disclosing this through the dedicated firstname.lastname@example.org mailing address!
After some investigation, we verified the vulnerability, and determined the cause to be a faulty implementation in FOSUserBundle.
Also, custom implementations of
Symfony\Component\Security\User\UserProviderInterface might be
affected. The core Security Component is, however, not affected as the exact
same vulnerability has been
fixed in the default
Doctrine entity user provider in November 2011.
The vulnerability can be exploited to impersonate any user.
In the meantime, we have also been informed about a second security issue with FOSUserBundle by BAIT s.r.o.. Thanks again! This issue is not as severe as the first one, but depending on the configuration of your reverse proxy, it was possible to hijack the session of an authenticated user.
Therefore, we highly encourage the following steps:
a) for FOSUserBundle users:
An upgrade to version 1.2.4 or higher is highly recommended for users of Symfony 2.0 (the master branch must be used by people using Symfony 2.1).
b) for all other users:
If you have custom implementations of
check that the data that you use to reload the user never changes, i.e. you are using the
user object's primary key to reload it.
If you are populating the security context manually, for example after registration, make sure to also invoke the session authentication strategy each time you do so.
For further reference, you can take a look at the changes which have been made to FOSUserBundle or Symfony:
Since this implementation is easy to get wrong, we are additionally targeting a refactoring of the related parts of the Security component for 2.2 to reduce the likelyhood of such implementation mistakes in the future.