Advisory: Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality A session fixation vulnerability within the Symfony web application framework's "Remember Me" login functionality allows an attacker to impersonate the victim towards the web application if the session ID value was previously known to the attacker. Details ======= Product: Symfony Affected Versions: 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 Fixed Versions: 2.3.35, 2.6.12, and 2.7.7 [2] Vulnerability Type: Session Fixation Security Risk: low Vendor URL: https://symfony.com/ Vendor Status: fixed version released [2] Advisory URL: http://ift.tt/1Zn7WJi Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://ift.tt/1jQGmEN Introduction ============ "Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community — all working together in harmony." (from Symfony's homepage) More Details ============ The following details are explained using the official Symfony Demo application[0]. The "Remember Me" login functionality was activated according to [1]. The security configuration file was modified as follows: -- app/config/security.yml
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment