Listen to this Post
How CVE-2018-19790 Works
The vulnerability arises from a parser differential between Symfony’s server-side URL validation and how modern web browsers interpret URL path segments containing backslashes. Specifically, the `_failure_path` parameter in Symfony’s login form logic is intended to accept only relative paths, but the server-side validation fails to correctly identify certain malformed URLs as external. When an attacker supplies a URL with backslashes (e.g., https:\/\/evil.com\/), the Symfony validation logic treats it as a safe relative path because it misinterprets the backslashes. However, browsers normalize these backslashes into forward slashes, effectively interpreting the string as an absolute URL pointing to an external domain. This bypasses the redirect allow-list validation, allowing the application to redirect users to arbitrary external domains after successful authentication. The impact is particularly severe in SSO and OAuth2 authentication flows, where an attacker can craft a login link that sends the victim to a malicious site immediately after login, without any visible indication during the login process.
Platform: Symfony Framework
Version: <4.2.1
Vulnerability : Open Redirect
Severity: Medium (6.1)
date: 2018-12-18
Prediction: Patch 2018-12-18
What Undercode Say:
Simulate vulnerable redirect validation curl -v "https://victim.com/login?_failure_path=https:\/\/evil.com\/" Check if backslashes bypass validation grep -r "_failure_path" --include=".php" /var/www/symfony/ Test redirect endpoint for open redirect ffuf -u "https://victim.com/login?_failure_path=FUZZ" -w payloads.txt -mr "Location: https?://"
Exploit:
GET /login?_failure_path=https:\/\/attacker.com\/phishing HTTP/1.1 Host: victim.com
Protection from this CVE:
// Validate redirect URLs with strict allow-list
function isLoginRedirectAllowed($url) {
$allowed_hosts = ['victim.com', 'sub.victim.com'];
$parsed = parse_url($url);
return in_array($parsed['host'] ?? '', $allowed_hosts);
}
Impact:
- Phishing: Silent redirect to attacker-controlled site post-authentication.
- Token Theft: OAuth authorization codes stolen via redirect chain.
- Trust Erosion: Users lose confidence after unexpected redirects.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

