Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security bug Reported #2655

Closed
math1as opened this issue Apr 7, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@math1as
Copy link

commented Apr 7, 2017

hey developers~
I'm math1as from l-team
and i'd like to report a serious bug for u
the "Create Data Source" module has some problems
so that an attacker could easily get webshell from back-end and execute any codes
i have already send a email to team@getsymphony.com
thanks a lot

@nitriques nitriques self-assigned this Apr 10, 2017

@nitriques nitriques added this to the 2.7.0 milestone Apr 10, 2017

@nitriques

This comment has been minimized.

Copy link
Member

commented Apr 10, 2017

Please, in the future, ONLY contact us by email for those matters. We do appreciate your work, but this is sensible and should be dealt with in private.

@nitriques

This comment has been minimized.

nitriques added a commit that referenced this issue Apr 10, 2017

Fix remote code execution by auth'd users
Some fields in the datasource editor and in the event editor were not properly
sanitized, leading to php code inclusion when usign crafted values like ');};phpinfo();/*

This commit aims to fix this, by making sure all user supplied values
are saved with escaped single quotes.

Fixes #2655

Also, 2 errors were not showing up in the DS editor UI, max_records and
page_number.
@nitriques

This comment has been minimized.

Copy link
Member

commented Apr 10, 2017

nitriques added a commit that referenced this issue Apr 11, 2017

Make sure we call stripslashes on read
And also call sanitize when creating the html.

When requests comes in, they are validated, then addslashes is called
before we write the php file. We still need to use the values from the
request, not call stripslashes on those since it's not needed.

This commit also adds a validation on resources names that prohibits the
use of \ in the name. Symphony already removed it, but the user was not
notified.

Re e30a18f
Re #2655
@math1as

This comment has been minimized.

Copy link
Author

commented Apr 13, 2017

@nitriques
this vulunerability is fixed and has been received by cve
CVE-ID:CVE-2017-7694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7694

@nitriques

This comment has been minimized.

Copy link
Member

commented Apr 19, 2017

@math1as Thanks!

jensscherbl added a commit that referenced this issue May 28, 2017

Fix remote code execution by auth'd users
Some fields in the datasource editor and in the event editor were not properly
sanitized, leading to php code inclusion when usign crafted values like ');};phpinfo();/*

This commit aims to fix this, by making sure all user supplied values
are saved with escaped single quotes.

Fixes #2655

Also, 2 errors were not showing up in the DS editor UI, max_records and
page_number.

jensscherbl added a commit that referenced this issue May 28, 2017

Make sure we call stripslashes on read
And also call sanitize when creating the html.

When requests comes in, they are validated, then addslashes is called
before we write the php file. We still need to use the values from the
request, not call stripslashes on those since it's not needed.

This commit also adds a validation on resources names that prohibits the
use of \ in the name. Symphony already removed it, but the user was not
notified.

Re e30a18f
Re #2655

nitriques added a commit that referenced this issue Jun 16, 2017

Fix remote code execution by auth'd users
Some fields in the datasource editor and in the event editor were not properly
sanitized, leading to php code inclusion when usign crafted values like ');};phpinfo();/*

This commit aims to fix this, by making sure all user supplied values
are saved with escaped single quotes.

Fixes #2655

Also, 2 errors were not showing up in the DS editor UI, max_records and
page_number.

Picked from e30a18f

nitriques added a commit that referenced this issue Jun 16, 2017

Make sure we call stripslashes on read
And also call sanitize when creating the html.

When requests comes in, they are validated, then addslashes is called
before we write the php file. We still need to use the values from the
request, not call stripslashes on those since it's not needed.

This commit also adds a validation on resources names that prohibits the
use of \ in the name. Symphony already removed it, but the user was not
notified.

Re e30a18f
Re #2655

Picked from 18d24e0

nitriques added a commit that referenced this issue Jun 16, 2017

Make sure we call stripslashes on read
And also call sanitize when creating the html.

When requests comes in, they are validated, then addslashes is called
before we write the php file. We still need to use the values from the
request, not call stripslashes on those since it's not needed.

This commit also adds a validation on resources names that prohibits the
use of \ in the name. Symphony already removed it, but the user was not
notified.

Re e30a18f
Re #2655

Picked from 18d24e0

@nitriques nitriques closed this in f742a3b Jul 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.