Paris 2019 March 28-29

  1. Home
  2. Blog
  3. CVE-2016-4423: Large username storage in session

CVE-2016-4423: Large username storage in session

May 9, 2016 Avatar of Fabien Potencier Fabien Potencier

Affected Versions

Symfony 2.3.0 to 2.3.40, 2.7.0 to 2.7.12, 2.8.0 to 2.8.5, and 3.0.0 to 3.0.5 versions of the Security component are affected by this security issue when using the username/password form authentication listener (and its simpler version SimpleFormAuthenticationListener).

This issue has been fixed in Symfony 2.3.41, 2.7.13, 2.8.6, and 3.0.6.

Note that no fixes are provided for Symfony 2.4, 2.5, and 2.6 as they are not maintained anymore.

Description

When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.

Resolution

The fix consists in limiting the size of the usernames accepted by the form. To avoid any BC break, the limit is set to 4096 characters, which should be more than enough for normal usages.

The patch for this issue is available here.

Credits

I would like to thank Marek Alaksa of Citadelo for reporting this security issue. Thanks to Fabien Potencier for writing the fix for the various Symfony versions.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Comments

Thomas Schulz said on May 10, 2016 #1

2.7.13 is listed twice ;-)

Herman J. Radtke III said on May 13, 2016 #2

The Security Check Report lists v2.6.13 as vulnerable, but it is not listed above.

Output from our travis:

symfony/symfony (v2.6.13)

-------------------------

* CVE-2016-4423: CVE-2016-4423: Large username storage in session

http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session

This checker can only detect vulnerabilities that are referenced Disclaimer in the SensioLabs security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.

Fabien Potencier said on May 16, 2016 #3

All 2.6 versions are vulnerable as stated in the blog post above. 2.6 is not maintained anymore and so, it does not receive security issue patches. You should upgrade.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.