oss-sec mailing list archives

CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to read arbitrary files on the server, readable with the web server privileges

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 26 Nov 2012 10:06:26 -0500 (EST)

Hello Kurt, Steve, vendors,

  Symfony upstream has released 1.4.20 version:
  [1] http://symfony.com/blog/security-release-symfony-1-4-20-released

correcting one security flaw:
"An information disclosure flaw was found in the way Symfony,
an open-source PHP web framework, sanitized certain HTTP POST
request values. A remote attacker could use this flaw to obtain
(unauthorized) read access to arbitrary system files, readable
with the privileges of the web server process."

References:
[2] https://bugs.gentoo.org/show_bug.cgi?id=444696
[3] https://bugzilla.redhat.com/show_bug.cgi?id=880240

Relevant upstream patch:
[4] http://trac.symfony-project.org/changeset/33598

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to read arbitrary files on the server, readable with the web server privileges Jan Lieskovsky (Nov 26)
- Re: CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to read arbitrary files on the server, readable with the web server privileges Kurt Seifried (Nov 26)