Advisories for Composer/Symfony/Security-Http package

When a firewall is configured with form-login (or any authenticator using DefaultAuthenticationFailureHandler) and the failure_forward: true option, the handler reads the _failure_path parameter from the failing login request and uses it as the path of an internal subrequest dispatched through HttpKernelInterface::SUB_REQUEST. Symfony's Firewall::onKernelRequest listener intentionally skips subrequests under the assumption they are internally generated and trusted, which also means AccessListener (the listener that evaluates access_control) does not run. Because the …

Symfony's #[IsGranted('…')], #[IsSignatureValid], and #[IsCsrfTokenValid(…)] attributes allow you to define a methods: […] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request. On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached …

OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are present in the token: a checker for an absent claim is silently skipped. A validly-signed JWT …

Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trusted_hosts setting is not configured (the default). An attacker who controls any other application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.

X509Authenticator implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like CN=Alice,O=Example,emailAddress=alice@example.com) to Symfony via $_SERVER['SSL_CLIENT_S_DN']. Symfony extracts the user identifier from that string. The extraction uses an unanchored regex that matches emailAddress= anywhere in the DN string: including inside the value of a different RDN (Relative Distinguished Name: one key=value component of the …

Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, …

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, SessionStrategyListener does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier does not change between the …

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now does not return any user-submitted input in its response.

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a …

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the trusted_headers allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the trusted_headers allowed list. An …

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user …

Description The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution We now ensure that 403s are returned whether the user exists or not if the password is invalid or …

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that error codes are returned whether the user exists or not if a user cannot switch to a user or …

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …

In symfony/security-http, when a Firewall checks access control rule, it iterates overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in a unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.

The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler take the content of the _target_path parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Symfony allows remote attackers to have unspecified impact via a timing attack.