CVE-2024-50340: Ability to change environment from query

November 6, 2024 • Published by Fabien Potencier

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Published in #Security Advisories

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Thomas Rabaix said on Nov 6, 2024 at 11:30

The parameter is named register_argc_argv not register_argv_argc, see https://www.php.net/manual/en/ini.core.php#ini.register-argc-argv

Kévin Dunglas said on Nov 6, 2024 at 11:32

If you're using Symfony Docker or the API Platform distribution, your project isn't affected because our skeletons provide safe PHP defaults.

Renaud GRAND said on Nov 6, 2024 at 13:57

This is pretty bad. This parameter is activated by default on most hosts (platform.sh is an example).

Vladimir Dusheyko said on Nov 6, 2024 at 14:07

Thanks for fixing the problem quickly.

Nicolas Grekas said on Nov 6, 2024 at 14:18

@Thomas fixed thanks. @Renaud it's Off by default on Platform.sh, also in Debian-based distributions and many others I guess. It's On in the official Docker image unfortunately.

Renaud GRAND said on Nov 6, 2024 at 15:30

Ok thanks! I guess in CLI "php -i" is going to show it On because it's CLI, that's what confused me.

Wouter de Jong said on Nov 6, 2024 at 17:49

Indeed, this option is hardcoded as "On" for the CLI SAPI. So checking php -i will not give you the correct insights :)