CVE-2015-4050
published 2015-06-02CVE-2015-4050: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or…
PriorityP336medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
8.27%
94.2th percentile
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 2.7.0~beta2+dfsg-2 (bookworm) | symfony 2.7.0~beta2+dfsg-2 (bookworm) |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
| sensiolabs | symfony | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests to /_fragment with no hash or an invalid/missing hash parameter, especially with _path=_controller= in the query string ↗
- →Nuclei template matches response body containing 'PHP Credits' with HTTP 200 from the exploit path, indicating successful controller invocation via bypass ↗
- →Victims return HTTP 403 response body with content generated by the controller — a 403 with non-empty body from /_fragment is a sign of exploitation ↗
- →Shodan query to identify exposed Symfony instances: cpe:"cpe:2.3:a:sensiolabs:symfony" ↗
- ·Vulnerability is only exploitable when ESI or SSI support is enabled in Symfony's HttpKernel component; installations without ESI/SSI are not affected ↗
- ·The bypass works because FragmentListener skips signing checks for sub-requests; the ExceptionListener re-triggers kernel events via sub-request after the initial 403, allowing the controller to execute ↗
- ·Affected versions: Symfony 2.3.19–2.3.28, 2.4.9–2.4.10, 2.5.4–2.5.11, 2.6.0–2.6.7; fixed in 2.3.29, 2.5.12, and 2.6.8 ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Symfony Incorrect Access Control
ghsa·2022-05-17
CVE-2015-4050 [MEDIUM] CWE-284 Symfony Incorrect Access Control
Symfony Incorrect Access Control
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.
This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore.
OSV
Symfony Incorrect Access Control
osv·2022-05-17
CVE-2015-4050 [MEDIUM] Symfony Incorrect Access Control
Symfony Incorrect Access Control
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.
This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore.
OSV
CVE-2015-4050: FragmentListener in the HttpKernel component in Symfony 2
osv·2015-06-02·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050: FragmentListener in the HttpKernel component in Symfony 2
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Debian
CVE-2015-4050: symfony - FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2...
vendor_debian·2015·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050: symfony - FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2...
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Scope: local
bookworm: resolved (fixed in 2.7.0~beta2+dfsg-2)
bullseye: resolved (fixed in 2.7.0~beta2+dfsg-2)
forky: resolved (fixed in 2.7.0~beta2+dfsg-2)
sid: resolved (fixed in 2.7.0~beta2+dfsg-2)
trixie: resolved (fixed in 2.7.0~beta2+dfsg-2)
No detection rules found.
Nuclei
Symfony - Authentication Bypass
nuclei·CVSS 4.3
CVE-2015-4050 [MEDIUM] Symfony - Authentication Bypass
Symfony - Authentication Bypass
Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment in the HttpKernel component.
Template:
id: CVE-2015-4050
info:
name: Symfony - Authentication Bypass
author: ELSFA7110,meme-lord
severity: medium
description: Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) n
Bugzilla
CVE-2015-4050 php-symfony: ESI unauthorized access [epel-6]
bugzilla·2015-06-02·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050 php-symfony: ESI unauthorized access [epel-6]
CVE-2015-4050 php-symfony: ESI unauthorized access [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for php-symfony: see blocks bug list for full det
Bugzilla
CVE-2015-4050 php-symfony: ESI unauthorized access [epel-7]
bugzilla·2015-06-02·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050 php-symfony: ESI unauthorized access [epel-7]
CVE-2015-4050 php-symfony: ESI unauthorized access [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for php-symfony: see blocks bug list for full det
Bugzilla
CVE-2015-4050 php-symfony: ESI unauthorized access
bugzilla·2015-06-02·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050 php-symfony: ESI unauthorized access
CVE-2015-4050 php-symfony: ESI unauthorized access
The following flaw was found in Symfony, a PHP framework for web projects:
Applications with ESI or SSI support enabled, that use the FragmentListener, are vulnerable to unauthorized access. A malicious user can call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it), bypassing URL signing and security rules.
FragmentListener throws an AccessDeniedHttpException in case URL is not signed correctly. However, the ExceptionListener triggers kernel events again by making a sub-request. Since the FragmentListener does no signing for sub-requests, the controller is called even though the original request was forbidden. As a result the user receives a 403 response with content generated by the contro
Bugzilla
CVE-2015-4050 php-symfony: ESI unauthorized access [fedora-all]
bugzilla·2015-06-02·CVSS 4.3
CVE-2015-4050 [MEDIUM] CVE-2015-4050 php-symfony: ESI unauthorized access [fedora-all]
CVE-2015-4050 php-symfony: ESI unauthorized access [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.htmlhttp://symfony.com/blog/cve-2015-4050-esi-unauthorized-accesshttp://www.debian.org/security/2015/dsa-3276http://www.securityfocus.com/bid/74928http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.htmlhttp://symfony.com/blog/cve-2015-4050-esi-unauthorized-accesshttp://www.debian.org/security/2015/dsa-3276http://www.securityfocus.com/bid/74928
2015-06-02
Published