CVE-2022-24894 - Exploiting Symfony HTTP Cache System to Steal User Sessions

Symfony, a widely-used PHP framework for web and console applications, provides a robust set of reusable PHP components. It also offers an HTTP cache system, which acts as a reverse proxy for caching entire responses, including headers, and returning them to clients.

Recently, a critical security flaw (CVE-2022-24894) was discovered in Symfony's AbstractSessionListener, which might lead to the leak and reuse of sensitive user session data. The response might contain a Set-Cookie header, and if Symfony's HTTP cache system is enabled, this response might be stored and returned to subsequent clients. An attacker can exploit this vulnerability to retrieve a victim's session data. This issue has been patched and is available for Symfony branch 4.4.

Code Snippet

To fully understand how this exploit works, let's take a look at the vulnerable code snippet within the AbstractSessionListener:

protected function ensureSessionExists()
{
  ...
  if (!$this->session && !$this->sessionIsEmpty($event) && $this->factory) {
      ...
      $session = $this->factory->get($sessionId);

      if (null !== $session) {
          $event->setResponse($response->withCookie(new Cookie(session_name(), $sessionId)));
          $this->session = $session;
      }
  }
}

In this code, if the session does not exist and is not empty, it creates a new session with the same session ID using the session factory. The vulnerable part comes from setting the response with the Set-Cookie header, which can be stored by the caching system and returned to other clients.

Enable Symfony's HTTP caching system, either through a .env file or programmatically, for example

  # .env
  SYMFONY_HTTP_CACHE=true
  

2. Send multiple requests to the application with the same session ID, either through tampering with the session cookie or setting a custom one.
3. Intercept and analyze the responses. If the caching system is working as intended, the response might contain a Set-Cookie header with the same session ID. This header is repeated in subsequent requests to other clients who use the same session ID.
4. Extract the session ID from the intercepted response and use it to impersonate the victim on the application.

Mitigation

Symfony has acknowledged this vulnerability and released a patch (see the original GitHub PR). To mitigate the issue, update your Symfony branch to 4.4 or higher, which contains the fix for CVE-2022-24894. Additionally, ensure your application's HTTP caching system is configured properly to avoid storing sensitive information in responses.

Conclusion

In conclusion, CVE-2022-24894 is a critical vulnerability in the Symfony PHP framework that allows an attacker to steal a user's session data by exploiting the framework's HTTP cache system. By updating Symfony to version 4.4 or higher and ensuring proper HTTP cache configuration, you can protect your application and users from this exploitation.

Timeline

Published on: 02/03/2023 22:15:00 UTC
Last modified on: 02/14/2023 16:24:00 UTC