URL rewrite vulnerability
Description
This application accepts the legacy HTTP headers X-Original-URL and/or X-Rewrite-URL, which allow clients to override the requested URL path. When these headers are present, the application processes a different resource than what appears in the original request URL. This behavior can be exploited to bypass security controls implemented at upstream layers such as web application firewalls, reverse proxies, or caching servers that make access control decisions based on the request URL. Multiple frameworks including Symfony (versions 2.7.0-2.7.48, 2.8.0-2.8.43, 3.3.0-3.3.17, 3.4.0-3.4.13, 4.0.0-4.0.13, and 4.1.0-4.1.2), zend-diactoros (up to 1.8.4), zend-http (up to 2.8.1), and zend-feed (up to 2.10.3) are known to be affected by this issue.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade affected frameworks immediately: Update Symfony to versions 2.7.49+, 2.8.44+, 3.3.18+, 3.4.14+, 4.0.14+, or 4.1.3+. Update zend-diactoros to 1.8.5+, zend-http to 2.8.2+, and zend-feed to 2.10.4+.
2. Disable legacy header support: If upgrading is not immediately possible, explicitly reject or ignore X-Original-URL and X-Rewrite-URL headers in your web server or application configuration. For example, in Apache:
RequestHeader unset X-Original-URL RequestHeader unset X-Rewrite-URL
Or in Nginx:
proxy_set_header X-Original-URL ""; proxy_set_header X-Rewrite-URL "";
3. Implement defense in depth: Ensure that authorization and access control checks are performed within the application layer itself, not solely at the web server or proxy level.
4. Verify the fix: After remediation, test that requests containing X-Original-URL or X-Rewrite-URL headers no longer bypass security controls or alter the requested resource path.