N/A

CVSS Score

Basic Information

CVE ID

CVE-2015-2308

GHSA ID

GHSA-5c58-w9xc-qcj9

EPSS Score

0.66718%

CWE

CWE-94

Published

5/17/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-2308

CVE-2015-2308: Symfony Vulnerable to PHP Eval Injection

Applications with ESI support (and SSI support as of Symfony 2.6) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

HttpCache uses eval() to execute files in its cache when they contain ESI tags (and only when ESI is enabled). The vulnerability comes from the fact that PHP allows contents of <script language="php"> tags to be executed (and this kind of PHP tags is always available regardless of the configuration), but there were not escaped before the evaluation.

A possible exploit comes from websites also vulnerable to Cross-Site Scripting as an attacker can successfully conduct a PHP code injection attack by passing such a tag in a user submitted variable (for which proper output escaping was not applied).

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2015-2308

GHSA ID

GHSA-5c58-w9xc-qcj9

EPSS Score

0.66718%

CWE

CWE-94

Published

5/17/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.0.0, < 2.3.27	2.3.27
symfony/symfony	composer	>= 2.4.0, < 2.5.11	2.5.11
symfony/symfony	composer	>= 2.6.0, < 2.6.6	2.6.6
symfony/http-kernel	composer	>= 2.0.0, < 2.3.27	2.3.27
symfony/http-kernel	composer	>= 2.4.0, < 2.5.11	2.5.11
symfony/http-kernel	composer	>= 2.6.0, < 2.6.6	2.6.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the HttpCache's use of eval() to process ESI tags. The Esi::process() method was responsible for handling ESI includes and generating PHP code for evaluation. The pre-patch implementation used str_replace() with limited escaping, failing to neutralize <script language="php"> tags. This allowed attackers to inject executable PHP code via user-submitted input. The commit diff shows the fix introduced a phpEscapeMap to properly escape dangerous tags, confirming the vulnerability was in the processing logic of this method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ppli**tions wit* *SI support (*n* SSI support *s o* Sym*ony *.*) *n**l** *n* usin* t** Sym*ony *uilt-in r*v*rs* proxy (t** `Sym*ony\*ompon*nt\*ttpK*rn*l\*ttp***** *l*ss) *r* vuln*r**l* to P*P *o** inj**tion; * m*li*ious us*r **n inj**t P*P *o** t**t

Reasoning

T** vuln*r**ility st*ms *rom t** *ttp*****'s us* o* *v*l() to pro**ss *SI t**s. T** *si::pro**ss() m*t*o* w*s r*sponsi*l* *or **n*lin* *SI in*lu**s *n* **n*r*tin* P*P *o** *or *v*lu*tion. T** pr*-p*t** impl*m*nt*tion us** str_r*pl***() wit* limit** *

N/A

Basic Information

Concerned about an active attack path?

CVE-2015-2308: Symfony Vulnerable to PHP Eval Injection

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI