1 users online. Create an account or sign in to join them.Users
This is an open discussion with 4 replies, filed under General.
A couple days ago we were made aware of a vulnerability affecting version 2.0.6 (also integration branch code) that could potentially allow an attacker to launch a local file inclusion attack. We’ve classed this particular vulnerability as low risk since it relies heavily on the attacker can getting the file they wish to include on to the target host for local inclusion.
Either way, we take all security risks seriously and have released the following patch.
For those using git, please pull from the Symphony 2 repo (the fix is on both master and integration).
Anyone not on git, that wants to patch up their copy of 2.0.6, use the file attached to this post. It is a replacement for the main index.php file.
All new installations of 2.0.6, from time of posting this thread, have the patch already, so no action is necessary.
Any concerns, please email us or post here.
Looks like this bug is on the radar of some hacking sites again. If you are on 2.0.6, PLEASE update to 2.0.7, or at the very least, apply the patch above.
I can find no difference between my existing index.php and the one in the update zip file. I’m running 2.0.6.
That will be because you either already patched it, or used the 2.0.6 download from this site. It already contains the patch. If you installed 2.0.6 from git, however, you’ll likely not have the fix. It was introduced into git shortly after 2.0.6 was tagged. The patched code looks like:
$renderer = (isset($_GET['mode']) && strtolower($_GET['mode']) == 'administration'
Find that code, and you’re already patched.
Sorry, I overlooked the date that you started this thread. Since it appeared at the top of the forum, I thought it was a new fix.
Create an account or sign in to comment.
Contact the team
Symphony • Open Source XSLT CMS