SensioLabs Symfony 3.3.6 Cross Site Scripting

SensioLabs Symfony version 3.3.6 suffers from a cross site scripting vulnerability.


MD5 | c2146dcabb8e4fbb8941ce5b5e3b88e5

SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)

# Exploit Title: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Date: 08-06-2018
# Software Link: https://symfony.com/
# Exploit Author: HaMM0nz (Chakrit S.), a member of KPMG Cyber Security team in Thailand
# CVE: CVE-2018-12040
# Category: webapps

1. Description

Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community all working together in harmony. (Copied from homepage.)

2. Proof of Concept

1. Navigate to http://www.example.com/_profiler/ , by default the credential is not required to access this component.
2. Insert any non-existence path in the website for example, a random path is "http://www.example.com/qwertyuio".
3. In the Symfony profiler navigate to the row with HTTP response code "404" and click to the "Token" link in page.
4. Go to Exception pane and follow the any link in the page e.g. "vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/RouterListener.php"
5. Inject <script>alert("XSS")</script> into "file" parameter , the PoC exploit will be "http://www.example.com/_profiler/open?file=<script>alert("XSS")</script>".

3. Timeline

3.1 Discovery and report - 5 June 2018.
3.2 CVE ID was assigned - 8 June 2018.
3.3 Public - 8 June 2018.

4. Solution

Upgrade the Symfony to the version 4.1 or higher.

Related Posts