Re: [symfony-devs] Vulnerability in Symfony2 Request class?

Tue, 13 Nov 2012 06:35:04 -0800

It's not a vulnerability. You need to call the trsutProxy() method only when you have a trusted reverse proxy in front of your website (like Varnish for instance). 

Fabien

--
Fabien Potencier
Sensio CEO - Symfony lead developer
sensiolabs.com | symfony.com | fabien.potencier.org
Tél: +33 1 40 99 80 80

On 11/13/12 3:29 PM, Sam Mateosian wrote:

Take a look at this blog post:

http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html

Quoting the author (near the end):

"Check out Symfony2's Request class
<https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Request.php#L589>.
On the surface it looks great. Until you notice that it uses a static
variable to determine if it should use the proxy information. That means
that if ANY part of your application wants proxy information (such as a
logging class), all of your application after that will get the proxied
information. So to see if you're vulnerable to this style attack, grep
your code for /$request->trustProxy()/. Also note that there's no
in-built mechanism to untrust the proxy. Once it switches to true, it
will stay true. Sounds like a major design flaw to me..."

Anyone want to take a look?

--
If you want to report a vulnerability issue on symfony, please send it
to security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to symfony-devs@googlegroups.com
To unsubscribe from this group, send email to
symfony-devs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en


--
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to symfony-devs@googlegroups.com
To unsubscribe from this group, send email to
symfony-devs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en

Reply via email to