niftycent.com
NiftyCent
DE
Login
Marktplatz
Rabatte

CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request

Description

When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.

In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.

Resolution

Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41267-webcache-poisoning-via-x-forwarded-prefix-and-sub-request?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Erstellt 4y | 24.11.2021, 09:20:08


Melden Sie sich an, um einen Kommentar hinzuzufügen

Andere Beiträge in dieser Gruppe

SymfonyCon Amsterdam 2025: Community Evening - Let’s Celebrate 20 Years of Symfony Together!
SymfonyCon Amsterdam 2025: Community Evening - Let’s Celebrate 20 Years of Symfony Together!

Symfony is turning 20 and we’re throwing a party you won’t want to miss! 🥳

Join us for an unforgettable evening of drinks, music, and great company at the Kanarie Club in Amsterdam!

This year

23.07.2025, 15:10:02 | Symfony
A Week of Symfony #968 (July 14–20, 2025)
A Week of Symfony #968 (July 14–20, 2025)

This week, the upcoming Symfony 7.4 version improved the Serializer component by adding more prefix support to the accessor, added more code to make the JsonPath component RFC compliant, and added sup

20.07.2025, 08:20:04 | Symfony
A Week of Symfony #967 (July 7–13, 2025)
A Week of Symfony #967 (July 7–13, 2025)

This week, Symfony unveiled the Symfony AI initiative, a set of components and bundles designed to bring powerful AI capabilities directly into your PHP applications. In addition, we published travel

13.07.2025, 09:20:11 | Symfony
Kicking off the Symfony AI Initiative
Kicking off the Symfony AI Initiative

Today we are happy to announce a new Symfony initiative called Symfony AI - with the goal to provide a comprehensive set of components and bundles designed to bring powerful AI capabilities directly i

11.07.2025, 13:20:27 | Symfony
SymfonyCon Amsterdam 2025: Travel & Lodging Tips
SymfonyCon Amsterdam 2025: Travel & Lodging Tips

SymfonyCon Amsterdam 2025, our next annual international Symfony conference, will take place on:

November 25 & 26: 2 workshops days with several topics to learn, practice and improve your skills

11.07.2025, 08:40:20 | Symfony
A Week of Symfony #966 (June 30 – July 6, 2025)
A Week of Symfony #966 (June 30 – July 6, 2025)

This week, development on the upcoming Symfony 8.0 version continued with the removal of deprecated features and the marking of several classes as final. In addition, we published two new case studies

06.07.2025, 08:10:15 | Symfony
Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6
Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6

At Wide, Micropole’s digital agency, they help leading brands modernize their digital infrastructures while ensuring scalability, security, and performance. When Audi France approached them to migrate

04.07.2025, 09:40:14 | Symfony
Techie
Techie