oss-security - CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Mon, 04 Jun 2012 10:26:25 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw
 corrected in upstream 1.4.18 version

Hello Kurt, Steve, vendors,

   a session fixation flaw was found in the way Symfony, an open-source PHP web applications 
development framework, performed removal of user credential, adding several user credentials at once 
and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide 
a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead 
to unauthorized access to the victim's user account.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=418427
[2] http://symfony.com/blog/security-release-symfony-1-4-18-released
[3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

Upstream patch:
[4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466

Could you allocate a CVE id for this? (afaics there hasn't been
requested one for this issue yet during last month / from the start
of June 2012)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.