CVE-2015-2308

Name of the Vulnerable Software and Affected Versions Symfony versions 2.3.x through 2.3.26 Symfony versions 2.4.x through 2.5.10 Symfony versions 2.6.x through 2.6.5

Description The issue allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element. Applications with ESI support enabled and using the Symfony built-in reverse proxy are vulnerable to PHP code injection. A malicious user can inject PHP code that will be executed by the server. The vulnerability comes from the use of eval() to execute files in the cache when they contain ESI tags, and the fact that PHP allows contents of <script language="php"> tags to be executed. This issue can be exploited in combination with Cross-Site Scripting vulnerabilities, allowing an attacker to conduct a PHP code injection attack by passing a malicious tag in a user-submitted variable.

Recommendations For Symfony versions 2.3.x through 2.3.26, update to version 2.3.27 or later. For Symfony versions 2.4.x through 2.5.10, update to version 2.5.11 or later. For Symfony versions 2.6.x through 2.6.5, update to version 2.6.6 or later. As a temporary workaround, consider disabling the ESI support in the Symfony built-in reverse proxy until a patch is available. Restrict access to the HttpCache class to minimize the risk of exploitation. Avoid using the language attribute in the SCRIPT element until the issue is resolved.