6.4

CVSS Score

Basic Information

CVE ID

CVE-2012-6431

GHSA ID

GHSA-83c3-qx27-2rwr

EPSS Score

0.51555%

CWE

CWE-287

Published

5/17/2022

Updated

2/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2012-6431

CVE-2012-6431: Symfony Allows URI Restrictions Bypass Via Double-Encoded String

On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.

Both the Routing component and the Security component uses the path returned by getPathInfo() to match a Request. The getPathInfo() returns a decoded path, but the Routing component (Symfony\Component\Routing\Matcher\UrlMatcher) decodes the path a second time; whereas the Security component, Symfony\Component\HttpFoundation\RequestMatcher, does not.

This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.

(GitHub Advisory)

6.4

CVSS Score

Basic Information

CVE ID

CVE-2012-6431

GHSA ID

GHSA-83c3-qx27-2rwr

EPSS Score

0.51555%

CWE

CWE-287

Published

5/17/2022

Updated

2/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/http-foundation	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/routing	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/security	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/symfony	composer	>= 2.0.0, < 2.0.19	2.0.19

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inconsistent path handling between components. The Routing component (UrlMatcher) decoded paths twice (once via Request::getPathInfo() and again via urldecode()), while the Security component (RequestMatcher) used the single-decoded path from getPathInfo(). This allowed attackers to craft double-encoded URLs that matched routing patterns after decoding, but didn't match security rules. The key vulnerable functions are UrlMatcher::match() (for double-decoding) and RequestMatcher::matches() (for not accounting for double-decoding). Commit diffs show these components were modified in the patch (changing urldecode() to rawurldecode() in Routing, and adding rawurldecode() in Security checks).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On t** Sym*ony *.*.x v*rsion, t**r*'s * s**urity issu* t**t *llows ****ss to rout*s prot**t** *y * *ir*w*ll *v*n w**n t** us*r is not lo**** in. *ot* t** Routin* *ompon*nt *n* t** S**urity *ompon*nt us*s t** p*t* r*turn** *y `**tP*t*In*o()` to m*t**

Reasoning

T** vuln*r**ility st*ms *rom in*onsist*nt p*t* **n*lin* **tw**n *ompon*nts. T** Routin* *ompon*nt (UrlM*t***r) ***o*** p*t*s twi** (on** vi* `R*qu*st::**tP*t*In*o()` *n* ***in vi* `url***o**()`), w*il* t** S**urity *ompon*nt (R*qu*stM*t***r) us** t**

6.4

Basic Information

Concerned about an active attack path?

CVE-2012-6431: Symfony Allows URI Restrictions Bypass Via Double-Encoded String

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI