Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 Jun 2012 10:26:25 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw
 corrected in upstream 1.4.18 version

Hello Kurt, Steve, vendors,

   a session fixation flaw was found in the way Symfony, an open-source PHP web applications 
development framework, performed removal of user credential, adding several user credentials at once 
and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide 
a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead 
to unauthorized access to the victim's user account.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=418427
[2] http://symfony.com/blog/security-release-symfony-1-4-18-released
[3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

Upstream patch:
[4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466

Could you allocate a CVE id for this? (afaics there hasn't been
requested one for this issue yet during last month / from the start
of June 2012)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.