lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Jun 2018 16:34:51 GMT
From: ch.sangsakul@...il.com
To: bugtraq@...urityfocus.com
Subject: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)

SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)

# Exploit Title: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Date: 08-06-2018
# Software Link: https://symfony.com/
# Exploit Author: HaMM0nz (Chakrit S.), a member of KPMG Cyber Security team in Thailand
# CVE: CVE-2018-12040
# Category: webapps

1. Description

Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community  all working together in harmony. (Copied from homepage.)

2. Proof of Concept

1. Navigate to http://www.example.com/_profiler/ , by default the credential is not required to access this component.
2. Insert any non-existence path in the website for example, a random path is "http://www.example.com/qwertyuio".
3. In the Symfony profiler navigate to the row with HTTP response code "404" and click to the "Token" link in page.
4. Go to Exception pane and follow the any link in the page e.g. "vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/RouterListener.php"
5. Inject <script>alert("XSS")</script> into "file" parameter , the PoC exploit will be "http://www.example.com/_profiler/open?file=<script>alert("XSS")</script>".

3. Timeline

3.1 Discovery and report - 5 June 2018.
3.2 CVE ID was assigned - 8 June 2018.
3.3 Public - 8 June 2018.

4. Solution

Upgrade the Symfony to the version 4.1 or higher.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ