Security Release: 1.2.12, 1.3.3 and 1.4.3
A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of symfony's Doctrine integration.
We recommend all projects that use the Doctrine admin generator upgrade to these latest versions immediately.
The vulnerability
The admin generator in sfDoctrinePlugin was not properly filtering the GET request parameter that switches the sort order on record listing pages. By manipulating this parameter in the URL, it was possible to inject arbitrary SQL into the query that populates the list page. We have closed this hole by applying a simple whitelist filter which checks that this parameter is either "asc" or "desc," case-insensitive.
How to report a security issue
It behooves us all to review the process for reporting a security issue to the symfony core team. This process, described on the symfony wiki, is set aside from reporting other issues with the symfony code because security issues require special consideration. If you find a security vulnerability, please do not post to the symfony-users mailing list. Instead, send an email to security [at] symfony-project [dot] com describing the vulnerability and it will quickly be qualified and addressed. Once a fix is released, the vulnerability and fix will be announced on this blog.
How to upgrade
If you've checked out a copy of the a tag from Subversion, switch to the latest.
// symfony 1.2
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_2_12
// symfony 1.3
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_3_3
// symfony 1.4
$ svn switch http://svn.symfony-project.com/tags/RELEASE_1_4_3
If you are using the pear package then do this works for you.
// symfony 1.2
$ pear upgrade symfony/symfony-1.2.12
// symfony 1.3
$ pear upgrade symfony/symfony-1.3.3
// symfony 1.4
$ pear upgrade symfony/symfony-1.4.3
Once that's complete, clear your project's cache.
$ php symfony cache:clear
If you'd prefer to download the security fix as a patch, you may do so for the 1.2, 1.3 or 1.4 branches.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
As a curtesy to the reporter.
You are right, but - roko didn't disclose real name. So? Who is roko?
Regards,
M
While 1.2.11 is not supported anymore, we of course fixed this issue also in 1.2.12