|CERT-In Vulnerability Note
Bypass Security Vulnerability in Symfony Http Foundation Component of Drupal
Original Issue Date:August 07, 2018
Severity Rating: HIGH
A vulnerability have been reported in Drupal modules, which could be exploited by remote attacker to Bypass URL based security control on the target system.
This vulnerability exists in the third party Symfony library module of Drupal. A remote attacker could exploit this vulnerability through sending a specially crafted "X-Original-URL" or "X-Rewrite-URL" HTTP header value to override the path in the request URL to potentially bypass access restrictions and cause the target system to render a different URL.
Successful exploitation of this vulnerability could allow the attacker to bypass URL-based access controls on the target system.
Upgrade to the most recent version or apply the patches as mentioned in vendor advisory
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003