| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201806081634.w58GYpnI013395@ip-100-122-159-248.us-east-1.ec2.aws.symcpe.net>
Date: Fri, 8 Jun 2018 16:34:51 GMT
From: ch.sangsakul@...il.com
To: bugtraq@...urityfocus.com
Subject: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Exploit Title: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Date: 08-06-2018
# Software Link: https://symfony.com/
# Exploit Author: HaMM0nz (Chakrit S.), a member of KPMG Cyber Security team in Thailand
# CVE: CVE-2018-12040
# Category: webapps
1. Description
Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community — all working together in harmony. (Copied from homepage.)
2. Proof of Concept
1. Navigate to http://www.example.com/_profiler/ , by default the credential is not required to access this component.
2. Insert any non-existence path in the website for example, a random path is "http://www.example.com/qwertyuio".
3. In the Symfony profiler navigate to the row with HTTP response code "404" and click to the "Token" link in page.
4. Go to Exception pane and follow the any link in the page e.g. "vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/RouterListener.php"
5. Inject <script>alert("XSS")</script> into "file" parameter , the PoC exploit will be "http://www.example.com/_profiler/open?file=<script>alert("XSS")</script>".
3. Timeline
3.1 Discovery and report - 5 June 2018.
3.2 CVE ID was assigned - 8 June 2018.
3.3 Public - 8 June 2018.
4. Solution
Upgrade the Symfony to the version 4.1 or higher.
Powered by blists - more mailing lists