Yesterday, Tristan Bessoussa brought our attention to a possible security vulnerability. We would like to thank him for responsibly disclosing this through the dedicated security@symfony.com mailing address!

After some investigation, we verified the vulnerability, and determined the cause to be a faulty implementation in FOSUserBundle.

Also, custom implementations of :class:Symfony\Component\Security\User\UserProviderInterface might be affected. The core Security Component is, however, not affected as the exact same vulnerability has been fixed in the default Doctrine entity user provider in November 2011.

The vulnerability can be exploited to impersonate any user.

In the meantime, we have also been informed about a second security issue with FOSUserBundle by BAIT s.r.o.. Thanks again! This issue is not as severe as the first one, but depending on the configuration of your reverse proxy, it was possible to hijack the session of an authenticated user.

Therefore, we highly encourage the following steps:

a) for FOSUserBundle users:

An upgrade to version 1.2.4 or higher is highly recommended for users of Symfony 2.0 (the master branch must be used by people using Symfony 2.1).

b) for all other users:

If you have custom implementations of Symfony\Component\Security\User\UserProviderInterface::refreshUser(), check that the data that you use to reload the user never changes, i.e. you are using the user object's primary key to reload it.

If you are populating the security context manually, for example after registration, make sure to also invoke the session authentication strategy each time you do so.

For further reference, you can take a look at the changes which have been made to FOSUserBundle or Symfony:

https://github.com/FriendsOfSymfony/FOSUserBundle/commit/a7e8615f13f69731fcb1c8a8d1af75c82eaea585
https://github.com/FriendsOfSymfony/FOSUserBundle/commit/8e412a70cafd924ad04c7325dae423048861b955
https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

Since this implementation is easy to get wrong, we are additionally targeting a refactoring of the related parts of the Security component for 2.2 to reduce the likelyhood of such implementation mistakes in the future.

Published in #Plugins

tony p said on Jul 12, 2012 at 13:30

is the security issue also present in the 1.1 fosuserbundle release?

my site is built using 1.1 and would rather not upgrade as i don't want to break backwards compatitbility

Adam Monsen said on Jul 12, 2012 at 21:05

If you are upgrading from FOSUserBundle 1.1, see the document "Upgrade_to_1_2.md" in the FOSUserBundle sources. You may have to configure an encoder.

[No encoder has been configured for account "Acme\DemoBundle\Entity\User"] indicates that you do.

Security Release: FOSUserBundle

Comments

Become a Symfony contributor