CVE-2016-4423: Large username storage in session
May 9, 2016 • Published by Fabien Potencier
Affected Versions
Symfony 2.3.0 to 2.3.40, 2.7.0 to 2.7.12, 2.8.0 to 2.8.5, and 3.0.0 to 3.0.5
versions of the Security component are affected by this security issue when
using the username/password form authentication listener (and its simpler
version SimpleFormAuthenticationListener
).
This issue has been fixed in Symfony 2.3.41, 2.7.13, 2.8.6, and 3.0.6.
Note that no fixes are provided for Symfony 2.4, 2.5, and 2.6 as they are not maintained anymore.
Description
When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.
Resolution
The fix consists in limiting the size of the usernames accepted by the form. To avoid any BC break, the limit is set to 4096 characters, which should be more than enough for normal usages.
The patch for this issue is available here.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Output from our travis:
symfony/symfony (v2.6.13)
-------------------------
* CVE-2016-4423: CVE-2016-4423: Large username storage in session
http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
This checker can only detect vulnerabilities that are referenced Disclaimer in the SensioLabs security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.