niftycent.com
NiftyCent
DE
Login
Marktplatz
Rabatte

CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request

Description

When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks.

In Symfony 5.2, we've added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.

Resolution

Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41267-webcache-poisoning-via-x-forwarded-prefix-and-sub-request?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Erstellt 4y | 24.11.2021, 09:20:08


Melden Sie sich an, um einen Kommentar hinzuzufügen

Andere Beiträge in dieser Gruppe

SymfonyOnline June 2025: Speakers, Stats & Replays!
SymfonyOnline June 2025: Speakers, Stats & Replays!

Thank you for joining us at SymfonyOnline June 2025!

What a great edition of SymfonyOnline we’ve just wrapped up! 🎉

We were thrilled to welcome 300 participants from 35 different countries—a

18.06.2025, 08:50:17 | Symfony
A Week of Symfony #963 (June 9–15, 2025)
A Week of Symfony #963 (June 9–15, 2025)

This week, Symfony celebrated the SymfonyOnline June 2025 conference with great success. Meanwhile, development efforts focused on improving invokable commands for the upcoming Symfony 7.4 version. Th

15.06.2025, 09:10:09 | Symfony
A Week of Symfony #962 (June 2–8, 2025)
A Week of Symfony #962 (June 2–8, 2025)

This week, development activity focused on the upcoming Symfony 7.4 and 8.0 versions, which will deprecate and remove many features. In addition, we published a case study about Yousign. Finally, we'r

08.06.2025, 07:50:05 | Symfony
Case study - Yousign: Scaling Trust with Smart, Scalable Architecture
Case study - Yousign: Scaling Trust with Smart, Scalable Architecture

As digital signatures become the norm in modern business, Yousign has established itself as a trusted leader across Europe. Behind its simple, intuitive interface is a powerful technical engine, handl

06.06.2025, 07:10:24 | Symfony
SymfonyOnline June 2025 starts next week!
SymfonyOnline June 2025 starts next week!

Get ready for the exciting SymfonyOnline June 2025, kicking off in a few days only! There’s still time to register and join the international online Symfony conference—along with pre-conferenc

05.06.2025, 10:20:09 | Symfony
A Week of Symfony #961 (May 26 – June 1, 2025)
A Week of Symfony #961 (May 26 – June 1, 2025)

This week, Symfony released the stable version of Symfony 7.3, which includes lots of amazing new features. We also published the maintenance versions 6.4.22 and 7.2.7.

Symfony development highlights

01.06.2025, 08:50:16 | Symfony
New in Symfony 7.3: DX Improvements (part 2)
New in Symfony 7.3: DX Improvements (part 2)

This is the second part of the blog post showcasing the main DX (developer experience) features introduced in Symfony 7.3. Read the first part of this blog post.

Verify URI Signatures… https://symfon

29.05.2025, 09:10:19 | Symfony
Techie
Techie