Websites developed on the Symfony framework were vulnerable to web cache poisoning attacks due to misuse of HTTP headers. Symfony is a popular PHP framework for web applications that have had over 200 million downloads in the past. Web cache poisoning attacks were discovered to be susceptible on the platform, possibly revealing sensitive information such as users’ IP addresses.
The intermediary storage sites between web servers and client devices, such as proxies, point-of-presence servers, and load balancers, are the targets of web cache poisoning attacks. These servers often aid website performance by keeping local copies of web content to speed up delivery to web clients. Web cache poisoning exploits deceive cache servers into storing and delivering malicious material to clients.
The problem surfaced when a Symfony-based website was operating behind a proxy or load-balancer, which has since been resolved. Developers may tell Symfony to search for X-Forwarded-* headers in these circumstances, which offer further information about the client, such as the original protocol, IP address, and port.
A trusted_headers_allowlist is used by Symfony to limit permitted headers and avoid web cache poisoning attacks. Symfony’s developers introduced support for the X-Forwarded-Prefix header in version 5.2, which adds information about the request’s original path-base. The flaw occurred in the sub-request functionality, which allows developers to render and serve a tiny section of a page instead of the entire page, according to a GitHub alert.
Even though it wasn’t on their trusted_headers list, the X-Forwarded-Prefix header was handled by ‘sub-requests.’ By generating malicious sub-requests with the X-Forwarded-Prefix header and having them cached in cache servers, bad actors might perform web cache poisoning attacks. The malicious snippets would then be provided to additional customers who requested the same thing.
A similar flaw has been resolved in at least one Symfony-based e-commerce platform. It’s unclear how many other websites have been impacted, but considering Symfony’s widespread use among PHP web developers, the ramifications might be significant.