Search This Blog

Powered by Blogger.

Blog Archive

Labels

Symfony PHP Framework has a Cache Poisoning Bug

Web cache poisoning attacks target the intermediate storage points between web servers and client devices.

 

Websites built on the Symfony framework were vulnerable to web cache poisoning attacks due to misuse of HTTP headers. Symfony is a popular PHP framework for web applications that has received over 200 million downloads in the past. Web cache poisoning attacks were discovered to be vulnerable on the platform, possibly exposing sensitive information such as users' IP addresses. 

Web cache poisoning is a sophisticated technique in which an attacker takes advantage of a web server's and cache's behavior to provide a malicious HTTP response to other users. Web cache poisoning is divided into two stages. To begin, the attacker must figure out how to get a response from the back-end server that has a harmful payload. They must ensure that their response is stored and then served to the intended victims once they have succeeded. 

A poisoned web cache has the potential to be a catastrophic means of disseminating a variety of attacks, including XSS, JavaScript injection, open redirection, and so on. 

Manipulation of unkeyed inputs, such as headers, is at the heart of any web cache poisoning attack. When evaluating whether or not to serve a cached response to a user, web caches disregard unkeyed inputs. Because of this behavior, threat actors can use them to inject their payload and elicit a "poisoned" response, which, if cached, will be served to all users with the corresponding cache key. 

The bug was created when a Symfony-based website was running behind a proxy or load-balancer, which has since been resolved. Developers can tell Symfony to look for X-Forwarded-* headers in these circumstances, which provide further information about the client such the original IP address, protocol, and port. A trusted_headers allow list is used by Symfony to limit allowed headers and prevent web cache poisoning attacks. Symfony's developers added support for the X-Forwarded-Prefix header in version 5.2, which attaches information about the request's original path-base. 

The flaw was in the sub-request feature, which allows developers to render and serve a tiny section of a page instead of the entire page, according to a GitHub advisory. Even though it wasn't on their trusted headers list, the X-Forwarded-Prefix header was processed by 'sub-requests.' By forging malicious sub-requests with the X-Forwarded-Prefix header and having them cached in cache servers, malicious actors could perform web cache poisoning attacks.
Share it:

Cyber Security

PHP

Threat actors

XSS Attacks