oss-sec mailing list archives
CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 04 Jun 2012 10:26:25 +0200
Hello Kurt, Steve, vendors,a session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account.
References: [1] https://bugs.gentoo.org/show_bug.cgi?id=418427 [2] http://symfony.com/blog/security-release-symfony-1-4-18-released [3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG Upstream patch: [4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466 Could you allocate a CVE id for this? (afaics there hasn't been requested one for this issue yet during last month / from the start of June 2012) Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Jan Lieskovsky (Jun 04)