Description

It was possible to guess/extract the Symfony's application secret (APP_SECRET). The secret was either guessed from a list of weak secrets or was extracted from the publicly accessible phpinfo page.

Using this secret it was possible to execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to disable ESI (Edge-Side Includes) and to change the Symfony's application secret (APP_SECRET).

References

Secret Fragments

Related Vulnerabilities

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

WordPress Plugin WordPress WP-Advanced-Search Remote Code Execution (3.3.3)

WordPress Plugin Import XML and RSS Feeds Remote Code Execution (2.1.4)

JBoss InvokerTransformer Remote Code Execution

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29509)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Weak Credentials