oss-sec mailing list archives

Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 04 Jun 2012 12:39:54 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2012 02:26 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

a session fixation flaw was found in the way Symfony, an
open-source PHP web applications development framework, performed
removal of user credential, adding several user credentials at once
and 'user authenticated' settings change by regenerating session
ID. A remote attacker could provide a specially-crafted URL, that
when visited by a valid Symfony application user (victim) could
lead to unauthorized access to the victim's user account.

References: [1] https://bugs.gentoo.org/show_bug.cgi?id=418427 [2]
http://symfony.com/blog/security-release-symfony-1-4-18-released 
[3]
http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

 Upstream patch: [4]
http://trac.symfony-project.org/changeset/33466?format=diff&new=33466

 Could you allocate a CVE id for this? (afaics there hasn't been 
requested one for this issue yet during last month / from the
start of June 2012)

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team


Please use CVE-2011-4964 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzQD5AAoJEBYNRVNeJnmTWZgQALS5dSSyarymYhvp3hjNzRDs
MKHFTnn17Ae3R2nfBAkK19fQdY3ZxkfeHxeHr5a5bPSlL0u+4E4oBtjC2/11cVnz
I+tdwI3HNJvwAMk54ip73GbLmDmJfil/EFD7hdomuqLMK46lOudekLf2B64BmMd2
r+fVIRz/Xuwht2PNiEQnal9TndCrcvTAmXJVLQw0LIP6LuGrQ8HVEKE9ZyuHAFNC
8kKOR+bUAPi1Ffnf+ltEW4UO6NgyE2UOnqkm4h8IzcjaYk9l2MO3G98KWfdg3KUa
nJ3IpNiw7Rd54jXWYBy9MTavPEXt/la5sUnMQoN7sh4uJBxQ4eD5kO28p0cOjpIG
HqF/Yk+6lMw46Ud+dEL3EO56cUyrm27A+bakcSZEVgTEGbRy1xpFFBig/W/jqNsp
WFBWtFZZi6tFikMSy1SoTdWM+4zq9Oiaw51kDmi1Uu/NWDvi7Tz0iJot2g4UUK4H
F0V/kSJDUcmKfAuX27jn1pPTLkqYK+Bc5YEja9mWW4AlR+fnHi69zW88wIkIpwRw
4Wi6DdMcvnPvB+SqgW/WX2PKFRNp5T0M65V8W4IIuNP/M1bYE1CFjkeKqEXhxqBu
UzpSc+/Ndm94TpAqjcQ28STN+M2GQn1ix6rWFYI3nO6rrkFaDaTYb+Q1WVB9BfeD
/Bf/R3FxxrNeqgl10qMK
=H1xk
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Jan Lieskovsky (Jun 04)
- Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Kurt Seifried (Jun 04)
  - Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Kurt Seifried (Jun 04)