====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN103
_____________________________________________________________________

DATE                : 05/06/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Symfony version prior to 2.3.29,
                       2.5.12, 2.6.8.

======================================================================
http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
______________________________________________________________________

 CVE-2015-4050: ESI unauthorized access

May 27, 2015 Fabien Potencier


Affected Versions

2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions
of the Symfony HttpKernel component are affected by this security issue.

This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note
that no fixes are provided for Symfony 2.4 as it's not maintained
anymore. Symfony 2.7 hasn't been released yet and the fix will be
included in the first stable release.


Description

Applications with ESI or SSI support enabled, that use the
FragmentListener, are vulnerable to unauthorized access. A malicious
user can call any controller via the /_fragment path by providing an
invalid hash in the URL (or removing it), bypassing URL signing and
security rules.

FragmentListener throws an AccessDeniedHttpException in case URL is not
signed correctly. However, the ExceptionListener triggers kernel events
again by making a sub-request. Since the FragmentListener does no
signing for sub-requests, the controller is called even though the
original request was forbidden. As a result the user receives a 403
response with content generated by the controller.


Resolution

The fix implements a check in the FragmentListener so it is not called
in case a _controller attribute was previously set.

The patch for this issue is available here.


Credits

I would like to thank Jakub Zalas for reporting this security issue and
providing a fix. Jakub also wrote the security advisory.


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================