Miggo Logo

CVE-2015-8124: Symfony Session Fixation Vulnerability

3.1

CVSS Score
3.1

Basic Information

EPSS Score
0.4794%
Published
5/14/2022
Updated
2/8/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
symfony/symfonycomposer>= 2.3.0, < 2.3.352.3.35
symfony/symfonycomposer>= 2.4.0, < 2.6.122.6.12
symfony/symfonycomposer>= 2.7.0, < 2.7.72.7.7
symfony/security-httpcomposer>= 2.4.0, < 2.6.122.6.12
symfony/security-httpcomposer>= 2.7.0, < 2.7.72.7.7
symfony/securitycomposer>= 2.3.0, < 2.3.352.3.35
symfony/securitycomposer>= 2.4.0, < 2.6.122.6.12
symfony/securitycomposer>= 2.7.0, < 2.7.72.7.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session migration after remember-me authentication. The patch adds sessionStrategy->onAuthentication() in RememberMeListener::handle() to trigger session migration. In vulnerable versions, the absence of this session ID rotation in the handle() method allowed attackers to fixate sessions. The handle() method is the entry point for remember-me authentication processing and would appear in stack traces during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*ssion *ix*tion vuln*r**ility wit*in t** "R*m*m**r M*" lo*in ***tur* *llows *n *tt**k*r to imp*rson*t* t** vi*tim tow*r*s t** w** *ppli**tion i* t** s*ssion i* v*lu* w*s pr*viously known to t** *tt**k*r. T*is issu* **s ***n *ix** in Sym*ony *.*.**

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion mi*r*tion **t*r r*m*m**r-m* *ut**nti**tion. T** p*t** ***s `s*ssionStr*t**y->on*ut**nti**tion()` in `R*m*m**rM*List*n*r::**n*l*()` to tri***r s*ssion mi*r*tion. In vuln*r**l* v*rsions, t** **s*n** o* t*is