thewilkybarkid
commented
9 years ago Just for anyone else seeing this, the problem was actually at the Symfony level and has been resolved (CVE-2013-4752).
As the solution is optional (if both the server and Symfony are misconfigured the site is still vulnerable), I suggest that we add a note to the docs reminding users of the setting (so I'm not closing this yet).
I've discovered a full authentication bypass vulnerability in this codebase, have you got an email address I can send the details to?