Broken Authentication in PHP
Symfony
Vulnerable example
The Symfony controller below provides an administrative endpoint that is used to fetch sensitive information about users. The class lacks the security annotation that restricts its access to authenticated users (in particular, those that have an administrative role):
/**
* @Route("/admin/users")
*/
class UsersController extends Controller
{
/**
* @Route("/", name="admin_users_index")
* @Method("GET")
*/
public function indexAction(Request $request)
{
// get user list
$manager = $this->getDoctrine()->getManager();
$users = $manager->getRepository('AppBundle:User')->findAll();
// render the template
return $this->render('admin/users/index.html.twig', [
'users' => $users
]);
}
}
Prevention
Apply the recommended authentication and authorization controls depending on the web framework of choice.
In Symfony, access to specific controllers can be restricted by annotations. For example, the annotations in the code snippet below ensure that only administrators are authorized to access the endpoint:
/**
* @Route("/admin/users")
* @Security("has_role('ROLE_ADMIN')")
*/
class UsersController extends Controller {/*...*/};
References
CWE - CWE-287: Improper Authentication
OWASP - A07:2021 - Identification and Authentication Failures