CVE-2024-28861

Name of the Vulnerable Software and Affected Versions Symfony 1 versions 1.1.0 through 1.5.18

Description The issue is related to a gadget chain due to dangerous deserialization in the sfNamespacedParameterHolder class, which could enable an attacker to achieve remote code execution if a developer deserializes user input in their project. This vulnerability presents no direct threat but is a vector that will enable remote code execution if a developer deserializes untrusted user data. The estimated number of potentially affected devices worldwide is not provided.

The vulnerability is exploited through the unserialize() method in the sfNamespacedParameterHolder class, which allows an attacker to provide any object type to make PHP access array or object properties other than intended by the developer. Specifically, the sfOutputEscaperArrayDecorator class implements the ArrayAccess interface, which can be abused to trigger the escape() function in the sfOutputEscaper class with attacker-controlled parameters. This can lead to the execution of arbitrary PHP code through the call user func() function.

Recommendations For Symfony 1 versions 1.1.0 through 1.5.18, update to version 1.5.19, which contains a patch for the issue. As a temporary workaround, consider adding type checking before processing unserialized input, such as checking if the data is an array before accessing its elements. For example:

public function unserialize($data)
{
  if (is array($data)) {
   $this->default namespace = $data[0];
   $this->parameters = $data[1];
  } else {
   $this->default namespace = null;
   $this->parameters = array();
  }
}

This fix should be applied in both sfNamespacedParameterHolder and sfParameterHolder classes.