mkopinsky
commented
5 years ago We have had a penetration test conducted on our sf1 application (included manual as well as automated tools such as burp) and the issues discovered were all application issues (eg not properly escaping things for XSS) or server configuration things (CORS headers, ServerSignature apache config, that sort of thing).
This isn't to say that symfony1 doesn't have any issues - we don't use a lot of features such as auto escaping in templates, so those features may have holes. But I wouldn't say that using symfony1 is an unsafe choice.
Security vulnerabilities are not things that appear spontaneously. Symfony1 is not any less safe for its having sat for years without much development. Obviously you shouldn't be running it on CentOS 5, Apache 2.2, and PHP 5.3. But with the right surrounding pieces, I don't see any problem.
mentalstring
hugochinchilla
DavidGoodwin
Hi everybody,
first of all a big thank you to all who participate in keeping symfony 1.x alive and usable. I myself choose symfony1 as the foundation of a relatively large project in 2009. As you can imagine I was pretty speechless when support for symfony 1 was dropped only 3 years later.
Well, some of the installations of my project are still in use today, and it looks as they have to run a few more years.
My question for you is about your view on security and vulnerabilites. Symfony 1.4.20 was already pretty stable, but of course for such a complex software and evolving environments (databases, webservers, new attack vectors) some vulnerabilites are probably still hidden somewhere.
A member of the community recently gave me his opinion, that it would be negligently to still use sf1 because there must be "loads of vulnerabilites".
I looked through the commits on this repo and through punkave's fork, but I did not really find a lot of security related fixes.
Thanks a lot!