Symfony 'regenerate()' Method Session Fixation Vulnerability
BID:53776
Info
Symfony 'regenerate()' Method Session Fixation Vulnerability
| Bugtraq ID: | 53776 |
| Class: | Design Error |
| CVE: |
CVE-2011-4964 CVE-2012-2667 |
| Remote: | Yes |
| Local: | No |
| Published: | May 30 2012 12:00AM |
| Updated: | Mar 19 2015 07:35AM |
| Credit: | Dmitri Groutso |
| Vulnerable: |
SensioLabs Symfony 1.4.17 |
| Not Vulnerable: |
SensioLabs Symfony 1.4.18 |
Discussion
Symfony 'regenerate()' Method Session Fixation Vulnerability
Symfony is prone to a session-fixation vulnerability.
An attacker can exploit this issue to hijack an arbitrary session and gain unauthorized access to the affected application.
Versions prior to Symfony 1.4.18 are vulnerable.
Symfony is prone to a session-fixation vulnerability.
An attacker can exploit this issue to hijack an arbitrary session and gain unauthorized access to the affected application.
Versions prior to Symfony 1.4.18 are vulnerable.
Exploit / POC
Symfony 'regenerate()' Method Session Fixation Vulnerability
To exploit this issue, an attacker entices an unsuspecting user into following a malicious URI.
To exploit this issue, an attacker entices an unsuspecting user into following a malicious URI.
Solution / Fix
Symfony 'regenerate()' Method Session Fixation Vulnerability
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Symfony 'regenerate()' Method Session Fixation Vulnerability
References:
References:
- PATCH (SensioLabs)
- RELEASE 1.4.18 CHANGELOG (SensioLabs)
- Security Release: symfony 1.4.18 released (SensioLabs)
- Symfony (SensioLabs)