===================================================================== CERT-Renater Note d'Information No. 2021/VULN624 _____________________________________________________________________ DATE : 24/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Symfony. ===================================================================== https://symfony.com/blog/cve-2021-41268-remember-me-cookie-persistance-after-password-changes https://symfony.com/blog/cve-2021-41267-webcache-poisoning-via-x-forwarded-prefix-and-sub-request https://symfony.com/blog/cve-2021-41270-prevent-csv-injection-via-formulas _____________________________________________________________________ CVE-2021-41268: Remember me cookie persistance after password changes November 24, 2021 Avatar of Fabien Potencier Fabien Potencier Description Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available here for branch 5.3. Credits We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue. _____________________________________________________________________ CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request November 24, 2021 Avatar of Fabien Potencier Fabien Potencier Description When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue. Resolution Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available here for branch 5.3. Credits We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue. _____________________________________________________________________ CVE-2021-41270: Prevent CSV Injection via formulas November 24, 2021 Avatar of Fabien Potencier Fabien Potencier Description CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker. In Symfony 4.1, we've added the opt-in csv_escape_formulas option in CsvEncoder, to prefix all cells starting by =, +, - or @ by a tab \t. Since then, OWASP added 2 chars in that list: - Tab (0x09) - Carriage return (0x0D) This makes our previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value. Resolution Symfony now follows the OWASP recommendations and use the single quote ' to prefix formulas and adds the prefix to cells starting by \t, \r as well as =, +, - and @. The patch for this issue is available here for branch 4.4. Credits We would like to thank Jake Barwell for reporting the issue and Jérémy Derussé for fixing the issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================