Search

A couple days ago we were made aware of a vulnerability affecting version 2.0.6 (also integration branch code) that could potentially allow an attacker to launch a local file inclusion attack. We’ve classed this particular vulnerability as low risk since it relies heavily on the attacker can getting the file they wish to include on to the target host for local inclusion.

Either way, we take all security risks seriously and have released the following patch.

For those using git, please pull from the Symphony 2 repo (the fix is on both master and integration).

Anyone not on git, that wants to patch up their copy of 2.0.6, use the file attached to this post. It is a replacement for the main index.php file.

All new installations of 2.0.6, from time of posting this thread, have the patch already, so no action is necessary.

Any concerns, please email us or post here.

Attachments:
index.php.zip

bump

Looks like this bug is on the radar of some hacking sites again. If you are on 2.0.6, PLEASE update to 2.0.7, or at the very least, apply the patch above.

I can find no difference between my existing index.php and the one in the update zip file. I’m running 2.0.6.

That will be because you either already patched it, or used the 2.0.6 download from this site. It already contains the patch. If you installed 2.0.6 from git, however, you’ll likely not have the fix. It was introduced into git shortly after 2.0.6 was tagged. The patched code looks like:

$renderer = (isset($_GET['mode']) && strtolower($_GET['mode']) == 'administration' 
        ? 'administration' 
        : 'frontend');

Find that code, and you’re already patched.

Sorry, I overlooked the date that you started this thread. Since it appeared at the top of the forum, I thought it was a new fix.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details