CVE-2015-4050: ESI unauthorized access
![Avatar of Fabien Potencier](https://connect.symfony.com/api/images/4aed4f5d-e0cb-4320-902f-885fddaa7d15.png?format=28x28)
Affected Versions
2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions of the Symfony HttpKernel component are affected by this security issue.
This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore. Symfony 2.7 hasn't been released yet and the fix will be included in the first stable release.
Description
Applications with ESI or SSI support enabled, that use the
FragmentListener
, are vulnerable to unauthorized access. A malicious user
can call any controller via the /_fragment
path by providing an invalid
hash in the URL (or removing it), bypassing URL signing and security rules.
FragmentListener
throws an AccessDeniedHttpException
in case URL is not
signed correctly. However, the ExceptionListener
triggers kernel events
again by making a sub-request. Since the FragmentListener
does no signing
for sub-requests, the controller is called even though the original request was
forbidden. As a result the user receives a 403 response with content generated
by the controller.
Resolution
The fix implements a check in the FragmentListener
so it is not called in
case a _controller
attribute was previously set.
The patch for this issue is available here.
Credits
I would like to thank Jakub Zalas for reporting this security issue and providing a fix. Jakub also wrote the security advisory.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
![Avatar of Jakub Zalas](https://connect.symfony.com/api/images/32f7a9b6-66bf-411b-97fa-fdeb9e747d31.png?format=48x48)
![Avatar of Mac Adamarczuk](https://connect.symfony.com/api/images/823e8b12-b919-4de6-9243-7e96d7a1a3f5.png?format=48x48)
![Avatar of Alsatian](https://connect.symfony.com/api/images/f009aa74-b67f-42b5-810e-80acaba29016.png?format=48x48)
![Avatar of Alsatian](https://connect.symfony.com/api/images/f009aa74-b67f-42b5-810e-80acaba29016.png?format=48x48)
![Avatar of Jakub Zalas](https://connect.symfony.com/api/images/32f7a9b6-66bf-411b-97fa-fdeb9e747d31.png?format=48x48)
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.