This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use the new forum.
Members Members   Search Search   FAQ FAQ   Register Register   Login Login   Home Home
Home » support » General discussion » Symfony Securitiy Issue - validation bypass method
icon4.gif  Symfony Securitiy Issue - validation bypass method [message #5457] Tue, 25 April 2006 15:56 Go to next message
pookey is currently offline pookey
Messages: 173
Registered: January 2006
Location: Epsom, Surrey, UK
Senior Member
Synopsis
--------
Symfony's built in validation system can by bypassed by altering the case of a URL.

Affected Versions
-----------------

All current versions of symfony are affected.

Description
-----------

Symfony provides a system to validate actions by specifying rules in a configuration file whos name is dependent upon the requested action. Due to the case insensitivity of PHP coupled with the case sensitivity of the underlying file system, validation rules can by bypassed by changing the case of the action in the URL.

Example
-------

http://site.com/module/action/id/4 - might be validated by a file called 'validate/action.yml'. However, changing the URL to
http://site.com/module/acTIOn/id/4 would bypass the validation (validate/acTiOn.yml would not exist)

Impact
------

The impact of this issue will vary on an application to application basis. For applications relying on validation to sanitize data – unsanitized data could be injected into your site. Some applications might be using the validation system for permissions checking, this issue will allow users to bypass your sites security.

Workaround
----------

Currently there is no known work around.

[Updated on: Tue, 25 April 2006 16:10]

http://shurl.net - the only URL shortening service written with symfony!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5460 is a reply to message #5457 ] Tue, 25 April 2006 17:01 Go to previous messageGo to next message
simonbun is currently offline simonbun
Messages: 205
Registered: October 2005
Faithful Member
Maybe when fixing this issue it would be good to get rid of the trailing slash difference?

At the moment mysite.com/mymodule/myaction != mysite.com/mymodule/myaction/
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5461 is a reply to message #5460 ] Tue, 25 April 2006 17:38 Go to previous messageGo to next message
francois is currently offline francois
Messages: 1636
Registered: October 2005
Faithful Member
Pookey, I think this is worth a ticket.
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5463 is a reply to message #5457 ] Tue, 25 April 2006 17:52 Go to previous messageGo to next message
pookey is currently offline pookey
Messages: 173
Registered: January 2006
Location: Epsom, Surrey, UK
Senior Member
good point Wink

reported at ticket #466

http://shurl.net - the only URL shortening service written with symfony!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5468 is a reply to message #5463 ] Tue, 25 April 2006 19:50 Go to previous messageGo to next message
sshadow is currently offline sshadow
Messages: 5
Registered: December 2005
Junior Member
@pookey

nice job!


As this is IMO a very critical issue, I'd like to see a special message be send through the announce mailinglists. The Sf community needs to be alerted asap, so it can take precautions against this kind of attack on their productions environments. I just only found out about this issue by browsing through this forum by chance.

I think Symfony needs a dedicated mailinglists for this kind of security issues. Considering Sf as a framework for the enterprise, it also needs an enterprise CERT like project. security through obscurity isn't a solution. I'm aware thath Sf still hasn't been released as a 1.0 version, but it is considered stable. If extra help is need by the Sf project, I'd like to volunteer to get my hands wet.

Maybe I'm a bit too early to react this way, therefor i apologise, but I'd like to express my opinion as I'm very sensitive about application security.
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5471 is a reply to message #5468 ] Tue, 25 April 2006 20:33 Go to previous messageGo to next message
chtito is currently offline chtito
Messages: 512
Registered: March 2006
Location: Sweden
Faithful Member
I tried on different installation (MAMP and also some Linux distro – our "production" site) and the exploit you are talking about doesn't work because the page http://site.com/module/acTIOn/id/4 is simply not found.

Or is there something I misunderstood?

Could you give us some more information, Pookey? On what installation did you get that behaviour? How exactly can one reproduce the exploit?

cheers!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5475 is a reply to message #5457 ] Tue, 25 April 2006 21:29 Go to previous messageGo to next message
pookey is currently offline pookey
Messages: 173
Registered: January 2006
Location: Epsom, Surrey, UK
Senior Member
Do you realise that 'site.com', 'module' and 'action' are all just examples? If you still fail to understand this, talk to me on IRC, you must be having a blonde moment.

http://shurl.net - the only URL shortening service written with symfony!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5481 is a reply to message #5475 ] Tue, 25 April 2006 22:26 Go to previous messageGo to next message
chtito is currently offline chtito
Messages: 512
Registered: March 2006
Location: Sweden
Faithful Member
No i tested on real pages of course. Let me be very clear:
- on my installations http://examplefromchtito.com/mymodule/myaction works
- but, say, http://examplefromchtito.com/mymodule/Myaction doesn't work (i simply get a 404 error)

Therefore i just don't understand how one can use the capitalisation for an exploit.

I'd like to know:
- on what installation you got that behaviour
and
- how exactly can one reproduce the exploit.

This is important to possibly reassure all the users out there.

("Blonde moment" i didn't know that excellent expression Very Happy )
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #5483 is a reply to message #5457 ] Tue, 25 April 2006 22:37 Go to previous messageGo to next message
pookey is currently offline pookey
Messages: 173
Registered: January 2006
Location: Epsom, Surrey, UK
Senior Member
I'm showing URLs that aren't using the routing engine to help explain things a little better.

http://bbs.pookey.co.uk/board/view?short_code=board1

In this action, short_code is a required parameter. If it's not supplied, validation notices and kicks out an error, for example:

http://bbs.pookey.co.uk/board/view?short_code=

however, try this:

http://bbs.pookey.co.uk/board/vIEw?short_code=

This page returns a 404, because the query is doing a
$this->forward404Unless($board = BoardPeer::doSelectOne($c)); is failing to return a board, because the short_code wasn't passed. As you can see, validation was completly bypassed.

It's clearer if you look at the debug helper here:

http://bbs.pookey.co.uk/bbs_dev.php/board/vIEw?short_code=

Hope this explains it better.

BTW: blonde moment - blond(e) people are often called stupid, having a blonde moment is a moment of stupidity Wink (I'm allowed to say this, I'm blond myself Very Happy )

[Updated on: Tue, 25 April 2006 22:38]

http://shurl.net - the only URL shortening service written with symfony!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6605 is a reply to message #5483 ] Wed, 24 May 2006 17:48 Go to previous messageGo to next message
bcaspe is currently offline bcaspe
Messages: 10
Registered: January 2006
Junior Member
I didn't look at the mailing list for this issue, but the bug extends not only to validation, but also the security checking (module/config/security.yml) I tried to find out when the filters get loaded and how the controller figures out whether there is a corresponding security yml, but I didn't see where it happens.

I tried (successfully) to bypass the add.yml for one of my modules by typing in the url: module/aDD. In the log file, the sfBasicSecurityFilter wasn't loaded/run, so it has to be checking from before then.

Where is the decision made on which filters to load?

brian
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6608 is a reply to message #5457 ] Wed, 24 May 2006 18:14 Go to previous messageGo to next message
halfer is currently offline halfer
Messages: 9535
Registered: January 2006
Location: West Midlands, UK
Faithful Member
If you are using Apache and mod_rewrite, I wonder if the internal lowercase mapping function could be used to lowercase all URLs at the server end?

This would certainly fix the security hole, though of course the core problem would still need to be addressed at some point in symfony.

Remember Palestine
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6609 is a reply to message #5457 ] Wed, 24 May 2006 18:19 Go to previous messageGo to next message
pookey is currently offline pookey
Messages: 173
Registered: January 2006
Location: Epsom, Surrey, UK
Senior Member
well, the basic problem remains, URLs *should* be case sensitive, I don't really think that point is up for debate Smile

http://shurl.net - the only URL shortening service written with symfony!
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6610 is a reply to message #6605 ] Wed, 24 May 2006 18:40 Go to previous messageGo to next message
bcaspe is currently offline bcaspe
Messages: 10
Registered: January 2006
Junior Member
check the trac again. I added some code to it that will solve the issue in terms of the security.yml. I'll have another look at the validation in a little bit.

brian
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6611 is a reply to message #6610 ] Wed, 24 May 2006 18:42 Go to previous messageGo to next message
bcaspe is currently offline bcaspe
Messages: 10
Registered: January 2006
Junior Member
I don't know how you're going to do that if the default route looks for /:method/:action and finds something that by php standards (case insensative) matches. That's what was going on for me. It was a default routing mapping to a valid insensative method/action, but none of the trimmings.
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6612 is a reply to message #6609 ] Wed, 24 May 2006 19:07 Go to previous messageGo to next message
halfer is currently offline halfer
Messages: 9535
Registered: January 2006
Location: West Midlands, UK
Faithful Member
pookey wrote on Wed, 24 May 2006 17:19

well, the basic problem remains, URLs *should* be case sensitive, I don't really think that point is up for debate Smile


Agreed. My suggestion was intended to plug the security hole, not address the underlying problem. Very Happy

Remember Palestine
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #6831 is a reply to message #5457 ] Tue, 30 May 2006 05:58 Go to previous messageGo to next message
bluefossil is currently offline bluefossil
Messages: 14
Registered: January 2006
Junior Member
I have also recently run into a problem with a simple contact form having its validation being bypassed. The module/action was supposed to be contact/submit, but when someone submits to contact/Submit, for example, the validation does not kick in, and I end up receiving a blank email.

So what's the stand now in solving this problem?
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15952 is a reply to message #6831 ] Wed, 15 November 2006 08:14 Go to previous messageGo to next message
phptub is currently offline phptub
Messages: 49
Registered: August 2006
Location: hyderabad
Member
I am also experienced with the same thing.
members/saveUser is working with validation... but when i access members/SaveUser i can bypass the validations..

Asif Ali Muhammad
My Blog
My Company
My Website

_________________________
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15958 is a reply to message #5457 ] Wed, 15 November 2006 11:07 Go to previous messageGo to next message
halfer is currently offline halfer
Messages: 9535
Registered: January 2006
Location: West Midlands, UK
Faithful Member
The ticket is closed. Could you let us know which version you are using, and any other relevant info about your environment, so bugfixers can determine what might need fixing?

Remember Palestine
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15962 is a reply to message #15958 ] Wed, 15 November 2006 11:42 Go to previous messageGo to next message
phptub is currently offline phptub
Messages: 49
Registered: August 2006
Location: hyderabad
Member
Hi...
I am using Symfony beta 0.7.1914..and i believe this was fixed in later version

Asif Ali Muhammad
My Blog
My Company
My Website

_________________________
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15964 is a reply to message #5457 ] Wed, 15 November 2006 11:56 Go to previous messageGo to next message
halfer is currently offline halfer
Messages: 9535
Registered: January 2006
Location: West Midlands, UK
Faithful Member
AFAIK this was fixed before 0.7.1914. I am running that version too, and this fix is already on mine. Is it on yours?

Remember Palestine
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15968 is a reply to message #15964 ] Wed, 15 November 2006 12:41 Go to previous messageGo to next message
phptub is currently offline phptub
Messages: 49
Registered: August 2006
Location: hyderabad
Member
Hi...
Let me explain again...
I am running the 0.7.1914. version. I have a user registration module... the action name is saveUser and my module is members and my yml file name is saveUser.yml. When i access members/saveUser i get validation errors.
And i tried to access members/SaveUser after reading this Topic.
Then am able to bypass the validations and its creating null record in Database.
Please let me know how to fix this bug in my symfony...

Asif Ali Muhammad
My Blog
My Company
My Website

_________________________
Report message to a moderator
Re: Symfony Securitiy Issue - validation bypass method [message #15970 is a reply to message #5457 ] Wed, 15 November 2006 12:58 Go to previous message
halfer is currently offline halfer
Messages: 9535
Registered: January 2006
Location: West Midlands, UK
Faithful Member
Explaining again won't help: I understand already, as far as I can tell Smile

I have pointed you to the relevant changeset - could you check your system to see if it has been applied?

http://www.symfony-project.com/trac/changeset/1498

Remember Palestine
Report message to a moderator
Previous Topic:using select_country() in ia0-8859-1 documents
Next Topic:Overriding the front controller dispatch method
Goto Forum:
  

[ Syndicate this forum (XML) ]
powered by FUDforum - copyright ©2001-2004 FUD Forum Bulletin Board Software