Broken Authentication in PHP

Play PHP Labs on this vulnerability with SecureFlag!

Symfony

Vulnerable example

The Symfony controller below provides an administrative endpoint that is used to fetch sensitive information about users. The class lacks the security annotation that restricts its access to authenticated users (in particular, those that have an administrative role):

/**
 * @Route("/admin/users")
 */
class UsersController extends Controller
{
    /**
     * @Route("/", name="admin_users_index")
     * @Method("GET")
     */
    public function indexAction(Request $request)
    {
        // get user list
        $manager = $this->getDoctrine()->getManager();
        $users = $manager->getRepository('AppBundle:User')->findAll();

        // render the template
        return $this->render('admin/users/index.html.twig', [
          'users' => $users
        ]);
    }
}

Prevention

Apply the recommended authentication and authorization controls depending on the web framework of choice.

In Symfony, access to specific controllers can be restricted by annotations. For example, the annotations in the code snippet below ensure that only administrators are authorized to access the endpoint:

/**
 * @Route("/admin/users")
 * @Security("has_role('ROLE_ADMIN')")
 */
class UsersController extends Controller {/*...*/};

References

CWE - CWE-287: Improper Authentication

OWASP - A07:2021 - Identification and Authentication Failures

OWASP - Authentication Cheat Sheet