#VU14165 Support for legacy HTTP methods in Symfony
Vulnerability identifier: #VU14165
Vulnerability risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-749
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Symfony
Web applications /
CMS
Vendor: SensioLabs
Description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to Symfony HttpFoundation component includes support for legacy Microsoft IIS headers X-Original-URL and X-Rewrite-URL. A remote attacker can send a specially crafted HTTP request to the vulnerable application requesting one URL but have Symphony return a different one. An attacker can abuse X-Original-URL and X-Rewrite-URL headers to access otherwise restricted functionality and bypass restrictions on higher level caches and web servers.
Mitigation
The vulnerability is fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.
Vulnerable software versions
Symfony: 2.7.0 - 4.1.2
External links
http://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
