CVE-2019-10911: Add a separator in the remember me cookie hash

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of Symfony Security component are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Resolution

We now separate the various components (username, expires, password) of the cookie hash with colons.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Jon Cave for reporting and Pascal Borreli & Michael Cullum for fixing the issue.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

CVE-2019-10911: Add a separator in the remember me cookie hash symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

Tweet this

Comments

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.