Date: Mon, 04 Jun 2012 10:26:25 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Hello Kurt, Steve, vendors, a session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account. References:  https://bugs.gentoo.org/show_bug.cgi?id=418427  http://symfony.com/blog/security-release-symfony-1-4-18-released  http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG Upstream patch:  http://trac.symfony-project.org/changeset/33466?format=diff&new=33466 Could you allocate a CVE id for this? (afaics there hasn't been requested one for this issue yet during last month / from the start of June 2012) Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ