Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 Jun 2012 10:26:25 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
Subject: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw
 corrected in upstream 1.4.18 version

Hello Kurt, Steve, vendors,

   a session fixation flaw was found in the way Symfony, an open-source PHP web applications 
development framework, performed removal of user credential, adding several user credentials at once 
and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide 
a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead 
to unauthorized access to the victim's user account.


Upstream patch:

Could you allocate a CVE id for this? (afaics there hasn't been
requested one for this issue yet during last month / from the start
of June 2012)

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ