lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Symfony | Sensiolabs | * | 1.4.19 (including) |
| Symfony | Sensiolabs | 1.4.0 (including) | 1.4.0 (including) |
| Symfony | Sensiolabs | 1.4.0-rc1 (including) | 1.4.0-rc1 (including) |
| Symfony | Sensiolabs | 1.4.0-rc2 (including) | 1.4.0-rc2 (including) |
| Symfony | Sensiolabs | 1.4.1 (including) | 1.4.1 (including) |
| Symfony | Sensiolabs | 1.4.2 (including) | 1.4.2 (including) |
| Symfony | Sensiolabs | 1.4.3 (including) | 1.4.3 (including) |
| Symfony | Sensiolabs | 1.4.4 (including) | 1.4.4 (including) |
| Symfony | Sensiolabs | 1.4.5 (including) | 1.4.5 (including) |
| Symfony | Sensiolabs | 1.4.6 (including) | 1.4.6 (including) |
| Symfony | Sensiolabs | 1.4.7 (including) | 1.4.7 (including) |
| Symfony | Sensiolabs | 1.4.8 (including) | 1.4.8 (including) |
| Symfony | Sensiolabs | 1.4.9 (including) | 1.4.9 (including) |
| Symfony | Sensiolabs | 1.4.10 (including) | 1.4.10 (including) |
| Symfony | Sensiolabs | 1.4.11 (including) | 1.4.11 (including) |
| Symfony | Sensiolabs | 1.4.12 (including) | 1.4.12 (including) |
| Symfony | Sensiolabs | 1.4.13 (including) | 1.4.13 (including) |
| Symfony | Sensiolabs | 1.4.14 (including) | 1.4.14 (including) |
| Symfony | Sensiolabs | 1.4.15 (including) | 1.4.15 (including) |
| Symfony | Sensiolabs | 1.4.16 (including) | 1.4.16 (including) |
| Symfony | Sensiolabs | 1.4.17 (including) | 1.4.17 (including) |
| Symfony | Sensiolabs | 1.4.18 (including) | 1.4.18 (including) |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093698.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093920.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093922.html
- http://secunia.com/advisories/51372
- http://symfony.com/blog/security-release-symfony-1-4-20-released
- http://trac.symfony-project.org/changeset/33598
- http://www.openwall.com/lists/oss-security/2012/11/26/12
- http://www.osvdb.org/87869
- http://www.securityfocus.com/bid/56685
- https://bugs.gentoo.org/show_bug.cgi?id=444696
- https://bugzilla.redhat.com/show_bug.cgi?id=880240
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80309
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093698.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093920.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093922.html
- http://secunia.com/advisories/51372
- http://symfony.com/blog/security-release-symfony-1-4-20-released
- http://trac.symfony-project.org/changeset/33598
- http://www.openwall.com/lists/oss-security/2012/11/26/12
- http://www.osvdb.org/87869
- http://www.securityfocus.com/bid/56685
- https://bugs.gentoo.org/show_bug.cgi?id=444696
- https://bugzilla.redhat.com/show_bug.cgi?id=880240
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80309