[Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request
We discussed this vulnerability during Episode 105 on 06 December 2021
There are two things at play with this vulnerability, first is the Symfony has support for trusted_headers
to indicate which headers the framework is okay to trust, and recently support for the X-Forwarded-Prefix
header was added and could be used regardless of whether or not it was in trusted_headers
list. This could create a situation where cache poisoning would be possible as a request could be treated differently on the application trusting an untrusted header. The actual exploitation of this issue would depend on the particular application built on top of Symfony.