Fluid Attacks Database

Description

Symfony Allows URI Restrictions Bypass Via Double-Encoded String On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.

Both the Routing component and the Security component uses the path returned by getPathInfo() to match a Request. The getPathInfo() returns a decoded path, but the Routing component (Symfony\Component\Routing\Matcher\UrlMatcher) decodes the path a second time; whereas the Security component, Symfony\Component\HttpFoundation\RequestMatcher, does not.

This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/security	>=2.0.0 <2.0.19	2.0.19
packagist	symfony/symfony	>=2.0.0 <2.0.19	2.0.19
packagist	symfony/http-foundation	>=2.0.0 <2.0.19	2.0.19
packagist	symfony/routing	>=2.0.0 <2.0.19	2.0.19

Aliases

1. CVE-2012-64312. NVD-2012-64313. OSV-2012-64314. GCVE-2012-6431

References

1. https://github.com/symfony/symfony/commit/55014a6841bec50046e8329a4835c160ac31a4962. https://github.com/symfony/symfony/commit/8b2c17f80377582287a78e0b521497e039dd6b0d3. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2012-6431.yaml6. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2012-6431.yaml7. https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released8. http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.