Affected versions
Symfony versions >=7.2, <7.4.13, >=8.0, <8.0.13 of the Symfony Mailomat Mailer component are affected by this security issue.
The issue has been fixed in Symfony 7.4.13, 8.0.13.
Description
Symfony
parses the X-MOM-Webhook-Signature request header as
algo=signature and passes the wire-supplied $algo directly to
hash_hmac() when verifying the request against the configured webhook
secret. The request therefore selects the HMAC primitive used to
authenticate it.
PHP's hash_hmac() enforces only that the chosen algorithm is
HMAC-compatible. That set still includes primitives with known
cryptanalysis (md4, md5, ripemd128, tiger128,3, ...;
e.g. existential forgery of HMAC-MD4, Contini & Yin, ASIACRYPT 2006).
This is the canonical algorithm-confusion shape, analogous to JWT
alg=none / alg=HS256 downgrades: any future cryptographic
weakness in any HMAC primitive PHP exposes becomes immediately
exploitable against a Mailomat webhook receiver, the moment an attacker
is in a position to compute a signature for that primitive, without a
code change on the Symfony side.
Mailomat's documented webhook security pins SHA-256; the parser did not.
Resolution
MailomatRequestParser::validateSignature() now requires the signature
header to be of the form sha256=<hex> and verifies the signature with
HMAC-SHA256 keyed by the configured secret using a constant-time
comparison. Any other algorithm declared on the wire (including the HMAC
primitives PHP would otherwise accept) is rejected.
The patch for this issue is available here for branch 7.4 (and forward-ported to 8.0 and 8.1).
Credits
We would like to thank Alwaleed Alshamari, Essam Alanazi and KEJJ0 for discovering the issue, and Nicolas Grekas for providing the fix.