Miggo Logo

CVE-2012-6431: Symfony Allows URI Restrictions Bypass Via Double-Encoded String

6.4

CVSS Score

Basic Information

EPSS Score
0.51555%
Published
5/17/2022
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
symfony/http-foundationcomposer>= 2.0.0, < 2.0.192.0.19
symfony/routingcomposer>= 2.0.0, < 2.0.192.0.19
symfony/securitycomposer>= 2.0.0, < 2.0.192.0.19
symfony/symfonycomposer>= 2.0.0, < 2.0.192.0.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from inconsistent path handling between components. The Routing component (UrlMatcher) decoded paths twice (once via Request::getPathInfo() and again via urldecode()), while the Security component (RequestMatcher) used the single-decoded path from getPathInfo(). This allowed attackers to craft double-encoded URLs that matched routing patterns after decoding, but didn't match security rules. The key vulnerable functions are UrlMatcher::match() (for double-decoding) and RequestMatcher::matches() (for not accounting for double-decoding). Commit diffs show these components were modified in the patch (changing urldecode() to rawurldecode() in Routing, and adding rawurldecode() in Security checks).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On t** Sym*ony *.*.x v*rsion, t**r*'s * s**urity issu* t**t *llows ****ss to rout*s prot**t** *y * *ir*w*ll *v*n w**n t** us*r is not lo**** in. *ot* t** Routin* *ompon*nt *n* t** S**urity *ompon*nt us*s t** p*t* r*turn** *y `**tP*t*In*o()` to m*t**

Reasoning

T** vuln*r**ility st*ms *rom in*onsist*nt p*t* **n*lin* **tw**n *ompon*nts. T** Routin* *ompon*nt (UrlM*t***r) ***o*** p*t*s twi** (on** vi* `R*qu*st::**tP*t*In*o()` *n* ***in vi* `url***o**()`), w*il* t** S**urity *ompon*nt (R*qu*stM*t***r) us** t**