Bug 1611906 (CVE-2018-14773)

Summary: CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, james.hogarth, shawn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-symfony 2.7.49, php-symfony 2.8.44, php-symfony 3.3.18, php-symfony 3.4.14, php-symfony 4.0.14, php-symfony 4.1.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:35:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1611907, 1611908, 1611909, 1611910    
Bug Blocks:    

Description Sam Fowler 2018-08-03 02:57:14 UTC 
The Symfony PHP framework has a vulnerability in versions before 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3. Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.

The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.


External Reference:

https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers


Upstream Patch:

https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
Comment 1 Sam Fowler 2018-08-03 02:57:52 UTC 
Created php-symfony tracking bugs for this issue:

Affects: epel-all [bug 1611910]
Affects: fedora-all [bug 1611907]


Created php-symfony3 tracking bugs for this issue:

Affects: fedora-all [bug 1611909]


Created php-symfony4 tracking bugs for this issue:

Affects: fedora-all [bug 1611908]
Comment 2 Product Security DevOps Team 2019-06-10 10:35:09 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.