SensioLabs closed multiple vulnerabilities in all supported symfony versions
In particular, it is reported that the following versions are vulnerable: 2.7.0 - 2.7.37, 2.8.0 - 2.8.30, 3.2.0 -3.2.13, and 3.3.0 - 3.3.12. An interesting fact: in other versions, these vulnerabilities may also be present, but there are no fixes for them (due to the fact that there are fixes only in supported versions).
To fix vulnerabilities, you need to upgrade to versions 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, or 4.0-BETA5.
')
And a little more about the vulnerabilities themselves:
Because of this, the token could be attacked by an MITM (man in the middle) using HTTP, and the same token could be used in the context of HTTPS to perform CSRF attacks.
More about vulnerability: link
DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the contents of the _target_path parameter and generates a redirection, but it does not check whether the path itself is an absolute URL for the external domain, thus opening the redirect vulnerability.
An open redirect vulnerability is not too dangerous for a server with symfony, but it can be used, for example, to install effective phishing attacks.
More about vulnerability: link
The Intl component includes various package readers that are used to read resources from the local file system. The read () methods of these classes use path and locale to determine the language (I mean working with multilingual applications) and the bundle to extract data.
The value of the locale argument is usually derived from untrusted user input (for example, the URL parameter). An attacker can use this argument to jump to arbitrary directories using a point-to-point slash (../../) attack.
More about vulnerability: link
When a form is submitted by a user, the form request handler classes combine the POST data (known as $ _POST array in plain PHP) and load the files (known as $ _FILES array in plain PHP) into one array. This large array forms data that is then bound to a form. At this stage, there is no difference between the submitted POST data and the downloaded files.
The user can send a processed HTTP request, where the FileType value is sent as regular POST data, which can be interpreted as a path to the server-side files (for example, file: ///etc/passwd ). If the application does not perform any additional checks on the value passed to FileType, the contents of this file on the server may be attacked.
More about vulnerability: link
Fortunately, starting with version 2.7, Symfony has built in an automatic analyzer of known vulnerabilities, which, using a simple console command, checks all installed dependencies:
In our case, the command was automatically executed when switching branches, so we became aware of the detection of vulnerabilities almost immediately, which helped to close them, in fact, faster than we read, which vulnerabilities were discovered.
If for some reason you cannot use this command in the console, you can always check your dependencies on the official site .
To fix vulnerabilities, you need to upgrade to versions 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, or 4.0-BETA5.
')
And a little more about the vulnerabilities themselves:
1. CSRF does not use different tokens for HTTP and HTTPS
Because of this, the token could be attacked by an MITM (man in the middle) using HTTP, and the same token could be used in the context of HTTPS to perform CSRF attacks.
More about vulnerability: link
2. Open Redirect Vulnerability in Security Handler
DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the contents of the _target_path parameter and generates a redirection, but it does not check whether the path itself is an absolute URL for the external domain, thus opening the redirect vulnerability.
An open redirect vulnerability is not too dangerous for a server with symfony, but it can be used, for example, to install effective phishing attacks.
More about vulnerability: link
3. Going beyond the boundaries of the paths in the Intl bundle
The Intl component includes various package readers that are used to read resources from the local file system. The read () methods of these classes use path and locale to determine the language (I mean working with multilingual applications) and the bundle to extract data.
The value of the locale argument is usually derived from untrusted user input (for example, the URL parameter). An attacker can use this argument to jump to arbitrary directories using a point-to-point slash (../../) attack.
More about vulnerability: link
4. Ability to issue a POST request as a downloadable file
When a form is submitted by a user, the form request handler classes combine the POST data (known as $ _POST array in plain PHP) and load the files (known as $ _FILES array in plain PHP) into one array. This large array forms data that is then bound to a form. At this stage, there is no difference between the submitted POST data and the downloaded files.
The user can send a processed HTTP request, where the FileType value is sent as regular POST data, which can be interpreted as a path to the server-side files (for example, file: ///etc/passwd ). If the application does not perform any additional checks on the value passed to FileType, the contents of this file on the server may be attacked.
More about vulnerability: link
Afterword:
Fortunately, starting with version 2.7, Symfony has built in an automatic analyzer of known vulnerabilities, which, using a simple console command, checks all installed dependencies:
bin/security-checker security:check In our case, the command was automatically executed when switching branches, so we became aware of the detection of vulnerabilities almost immediately, which helped to close them, in fact, faster than we read, which vulnerabilities were discovered.
If for some reason you cannot use this command in the console, you can always check your dependencies on the official site .
Source: https://habr.com/ru/post/342782/
All Articles