14 DAY TRIAL // Developers of Symfony PHP web framework released a patch on Wednesday for a security hole that allows unauthorized access to web apps with support for SSI (Server-Side Includes) and ESI (Edge Side Includes) enabled.
The list of vulnerable versions is extensive and includes 2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, and 2.6.0 through 2.6.7.
Symfony is a widely used development platform for creating web apps as well as for building and maintaining websites faster and better. According to statistics on its website, it has over 1 million monthly downloads. The number of websites using it reaches tens of thousands.
Forbidden request to controller is still processed
In a security advisory, Fabien Potencier, the original author of Symfony, says that the vulnerability can be exploited by an attacker to bypass URL signing and security rules.
He says that web apps that have ESI or SSI support turned on and use the FragmentListener class are vulnerable to unauthorized access. “A malicious user can call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it),” and thus get past the security measures imposed.
FragmentListener is designed to manage content fragments that are represented by URL paths beginning with “/_fragment,” and if a non-trusted IP address is identified to make the request, access to the resource is automatically denied.
However, the controller is still called because the “ExceptionListener” class turns the initial request into a sub-request, which is not signed. As such, although the original request was forbidden, it is passed as a sub-request, the result being a 403 error that includes content generated by the controller.
Version 2.4 does not receive the fix
The maintainers of the project have released a fix for the vulnerability (CVE-2015-4050). It is available in Symfony 2.3.29, 2.5.12, and 2.6.8. The patch is not provided for version 2.4 because it is no longer maintained by the developers.
Credited for finding and reporting the security flaw is Jakub Zalas, an Agile PHP Developer based in London.