Security Release: FOSUserBundle

July 11, 2012 · Published by Avatar of Johannes S Johannes S

Yesterday, Tristan Bessoussa brought our attention to a possible security vulnerability. We would like to thank him for responsibly disclosing this through the dedicated security@symfony.com mailing address!

After some investigation, we verified the vulnerability, and determined the cause to be a faulty implementation in FOSUserBundle.

Also, custom implementations of :class:Symfony\Component\Security\User\UserProviderInterface might be affected. The core Security Component is, however, not affected as the exact same vulnerability has been fixed in the default Doctrine entity user provider in November 2011.

The vulnerability can be exploited to impersonate any user.

In the meantime, we have also been informed about a second security issue with FOSUserBundle by BAIT s.r.o.. Thanks again! This issue is not as severe as the first one, but depending on the configuration of your reverse proxy, it was possible to hijack the session of an authenticated user.

Therefore, we highly encourage the following steps:

a) for FOSUserBundle users:

An upgrade to version 1.2.4 or higher is highly recommended for users of Symfony 2.0 (the master branch must be used by people using Symfony 2.1).

b) for all other users:

If you have custom implementations of Symfony\Component\Security\User\UserProviderInterface::refreshUser(), check that the data that you use to reload the user never changes, i.e. you are using the user object's primary key to reload it.

If you are populating the security context manually, for example after registration, make sure to also invoke the session authentication strategy each time you do so.

For further reference, you can take a look at the changes which have been made to FOSUserBundle or Symfony:

  • https://github.com/FriendsOfSymfony/FOSUserBundle/commit/a7e8615f13f69731fcb1c8a8d1af75c82eaea585
  • https://github.com/FriendsOfSymfony/FOSUserBundle/commit/8e412a70cafd924ad04c7325dae423048861b955
  • https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

Since this implementation is easy to get wrong, we are additionally targeting a refactoring of the related parts of the Security component for 2.2 to reduce the likelyhood of such implementation mistakes in the future.

Published in #Plugins

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of tony p
tony p said on Jul 12, 2012
is the security issue also present in the 1.1 fosuserbundle release?

my site is built using 1.1 and would rather not upgrade as i don't want to break backwards compatitbility
Avatar of Adam Monsen
Adam Monsen said on Jul 12, 2012
If you are upgrading from FOSUserBundle 1.1, see the document "Upgrade_to_1_2.md" in the FOSUserBundle sources. You may have to configure an encoder.

[No encoder has been configured for account "Acme\DemoBundle\Entity\User"] indicates that you do.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.