7x Releases 7x SymfonyOne v1.5.0.2 — The Symfony v1 Drop-In Framework Security Upgrade! Update Now!

(Critical security fixes for all Symfony 1.x installations — upgrade from Symfony 1.4.x immediately)

7x is urgently pleased to announce the release of 7x SymfonyOne v1.5.0.2 to developers and users worldwide. This is a security release. It patches four vulnerabilities in the Symfony One framework core — including a Critical-severity remote code execution vector inherited from all versions of Symfony 1.4.x — and hardens the framework against CSRF token forgery and code injection. If you are running any version of Symfony 1.4.x or an earlier 1.5.0.x release, you should upgrade immediately.

Read the full GitHub release notes and the updated RELEASE_NOTES.md for complete technical details on every fix.

Why This Release Matters — The Symfony 1.4.x Security Debt

Symfony 1.4.x reached end-of-life in November 2012. No security patches have been issued by the upstream project in over a decade. Every vulnerability fixed in this release has been present and unpatched in Symfony 1.4.x for years. The four fixes shipped in v1.5.0.2 address issues that were always in the codebase — they were simply never found, never reported, or reported and never fixed upstream because the project was no longer maintained.

If your application is running Symfony 1.4.x on a public server today, it is exposed to every one of these vulnerabilities right now.

Security Fixes in v1.5.0.2

• YAML PHP Object Injection — Critical (RCE) — The YAML parser honoured the

  !!php/object:

  tag, passing attacker-controlled data directly to

  unserialize()

  . This is the same class of vulnerability as CVE-2024-28859. Using publicly available gadget-chain tooling (phpggc), an attacker who can influence any YAML the application parses — through a file upload, a form field, a remote API response, or an injected config value — can achieve arbitrary remote code execution without any zero-day exploit. The gadget classes are already bundled with the framework: Swift Mailer, Doctrine 1.x, and Propel 1.x all ship exploitable chains. Fixed: the

  !!php/object:

  tag now throws an exception unconditionally. PHP object deserialization from YAML is permanently disabled.
• CSRF Token Timing Attack — High — The CSRF token validator compared submitted tokens using PHP's

  !=

  operator, which short-circuits on the first differing byte. This leaks timing information that enables byte-by-byte brute-force of a CSRF token, defeating the primary defence against Cross-Site Request Forgery. A successful CSRF attack lets an attacker trigger any authenticated state-changing action — account changes, data deletion, fund transfers — by tricking a logged-in user into visiting a malicious page. Fixed: replaced with PHP's

  hash_equals()

  for constant-time comparison.
• Weak CSRF Token Generation — Medium — CSRF tokens were generated using

  md5()

  with simple string concatenation. MD5 is a cryptographically broken hash function, vulnerable to preimage attacks and length extension. The construction used (secret prefix concatenation rather than HMAC) means an attacker who can observe token output may forge valid tokens without knowing the secret. Fixed: upgraded to

  hash_hmac('sha256', ...)

  , which uses the secret as a proper cryptographic key and produces 256-bit output resistant to length-extension attacks.
• eval() Injection via i18n Choice Format — Medium — The

  {n: expr}

  set notation in i18n plural strings substituted YAML translation catalogue content directly into

  eval()

  without any character-level validation. An attacker who controls translation catalogue content — through an admin interface, a writable YAML file, or a higher-level YAML injection — can inject arbitrary PHP code. Fixed: a strict allowlist regex now rejects any expression containing characters outside digits, the placeholder variable

  n

  , whitespace, and standard arithmetic and comparison operators.

Web Root Structural Improvement

This release also moves the web front controller (

index.php

) and Apache rewrite rules (

.htaccess

) from the project root into a dedicated

public/

subdirectory. Web server

DocumentRoot

(Apache) and

root

(Nginx) should now point to

public/

.

This is the layout used by every modern PHP framework (Symfony 2+, Laravel, Laminas, Slim). With

DocumentRoot

set to

public/

, the file system enforces that

lib/

,

apps/

,

vendor/

,

composer.json

,

composer.lock

, and

.git/

are never reachable over HTTP — regardless of web server access-control configuration. Previously, any misconfiguration could expose framework internals, dependency manifests, and source code directly to the internet.

Getting Started

• Download the release from GitHub.
• Review the updated INSTALL.md for Apache and Nginx virtual host configuration showing the

  public/

  DocumentRoot.
• Update your web server

  DocumentRoot

  /

  root

  from the project root to

  public/

  after upgrading.
• Run on PHP 8.4 or later for best security and stability. All PHP 8.x versions from 8.0 through 8.5.6 are supported.
• 7x SymfonyOne v1.5 is a drop-in upgrade for Symfony 1.4.x installations — review the framework requirements before upgrading and test on a staging environment first.

What's New in v1.5.0.2

• lib/yaml/sfYamlInline.php —

  !!php/object:

  YAML deserialization blocked (Critical RCE, CWE-502).
• lib/validator/sfValidatorCSRFToken.class.php — constant-time CSRF token comparison via

  hash_equals()

  (High, CWE-208).
• lib/form/sfForm.class.php — CSRF token generation upgraded from MD5 to HMAC-SHA256 (Medium, CWE-326).
• lib/i18n/sfChoiceFormat.class.php — character allowlist guard before

  eval()

  in i18n set notation (Medium, CWE-94).
• public/index.php — front controller relocated to

  public/

  subdirectory.
• public/.htaccess — Apache rewrite rules relocated to

  public/

  subdirectory.
• README.md — directory layout and DocumentRoot examples updated to reflect

  public/

  .
• INSTALL.md — all Apache and Nginx vhost examples, installation steps, security checklist, and troubleshooting updated for

  public/

  web root.
• RELEASE_NOTES.md — full v1.5.0.2 security advisory with technical detail, code diffs, and CWE references.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who reported issues and contributed. Please upgrade to 7x SymfonyOne v1.5.0.2 immediately.

7x Symfony v1.5.0.1 Now Available — The Symfony One Framework Reborn With PHP 8.x through 8.5.6 Compatibility

(Reborn for general web development and as a drop-in upgrade for Symfony 1.4.x projects)

7x is extremely pleased to announce the release of 7x Symfony v1.5.0.1 to developers and users worldwide. This is the Symfony One Framework — the continuing evolution of the original symfony 1.4 MVC web application framework — reborn with full PHP 8.x through PHP 8.5.6 compatibility. Upgraded so you can continue to use Symfony 1 as designed originally, for both new general web development projects and as a drop-in upgrade path for existing Symfony 1.4.x installations.

This v1.5.0.1 release is a documentation patch release on top of v1.5.0.0, shipping a fully rewritten README.md in the 7x standard format alongside a new, comprehensive 21-section INSTALL.md developer guide covering everything from requirements and Composer integration to PDO and ORM database setup, form validation, CLI tasks, cache management, and deployment.

All PHP 8.x versions from 8.0 through 8.5.6 are supported. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.

Read the full GitHub release notes for complete details on what is included in this release.

Getting Started

• Download the release from GitHub
• Review the new INSTALL.md guide included in the repository for full setup, configuration, and deployment instructions.
• Run on a PHP 8.4 or later environment for best results.
• 7x Symfony v1.5 is designed as a drop-in upgrade for existing Symfony 1.4.x installations — ensure your environment meets the framework requirements before upgrading.

What's New in v1.5.0.1

• README.md — renamed from the legacy plain-text README file and fully rewritten in the 7x standard format, including: project notice, project status, who is 7x, architecture overview, technology stack table, requirements matrix, quick start, full feature list, routing and action and DB code examples, CLI task reference, issue tracker, contribute, donate, copyright, and license sections.
• INSTALL.md — brand-new 21-section installation and developer guide covering: requirements, directory layout, first-time installation, Composer integration, Apache and Nginx virtual host configuration, file permissions, building a page (module, action, template, and route walkthrough), routing reference, action patterns, templates and layouts, PDO database integration with full CRUD examples, sfDoctrinePlugin ORM, sfPropelPlugin ORM, Composer packages in actions, forms and validation, lime test suite, symfony1 CLI tasks, cache management, deployment checklist, and troubleshooting Q&A.
• Privacy — removed all links to the internal private staging server from public documentation.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy 7x Symfony v1.5.0.1!

Exponential 6.0.13 Now Available

7x is very excited to announce the release of Exponential 6.0.13 to users worldwide, released on April 20, 2026. This release delivers critical security hardening, improved PHP 8.4/8.5 compatibility, a new SQLite3 driver, new template string operators, and an upgraded PHPUnit 13 test suite.

Key Highlights

• Critical Security Fixes — 6 SQL injection and OS shell injection attack surfaces closed. Parameterised queries and shell-argument escaping applied across 4 patched files.
• PHP 8 Session Compatibility — ezsession updated so read() returns an empty string instead of false, and globals are properly guarded during early bootstrap, eliminating type-error fatals on PHP 8.
• SQLite3 Driver — Autoload registration fixed, absolute DB paths now supported, and recursive directory creation added for first-run installations.
• New Template String Operators — rstring, ristring, str_pad, wordwrap, chunk_split, number_format, sprintf wrappers and more are now available directly in Exponential templates.
• PHPUnit 13 Test Suite — 6 new test files covering the security attack surfaces closed in this release. Bootstrap updated for full PHPUnit 13 compatibility.
• PHP 8.1 through 8.5 supported — No minimum PHP version requirement raised. Running PHP 8.3 or 8.5 is strongly recommended for best security.

Getting Started

• Download the release from GitHub or install via Composer.
• Review the full changelog on GitHub for a complete list of changes since 6.0.0.
• Read the security hardening reference in doc/hardening.md (1,176 lines) documenting every patch reference, vulnerability class, and fix applied.
• Check exponential.earth for packages, extensions, and composer setup instructions.
• Turnkey Exponential CMS hosting is available at se7enx.com.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Release Discussion Thread — join the dedicated thread for this release to share your experience and ask questions.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who contributed, tested, and reported issues. Enjoy Exponential 6.0.13!

7x has been working hard for the users with the release preparations for the second release of the rebranded Exponential 6.0.12 (Formerly eZ Publish 6.0).

We have some nice improvements to the core, brand new multi site settings support (from our new partner CJW Network & JAC Systeme), general improvements, bug fixes which provide for stable for active development and use! Try Exponential 6 today!

Download today and install, test, deploy to production! News on Share.Exponential.earth

Checkout the open source project product websites from 7x.

• exponential.earth
• basic.exponential.earth
• platform.exponential.earth
• share.exponential.earth

7x has been working hard for the users with the release preparations for the second release of the rebranded Exponential 6.0.11 (Formerly eZ Publish 6.0).

We have some nice improvements to the core, php85+ support, debug output css, rebranded package source code nice and stable for active development and use! Try Exponential 6 today!

Download today and install, test, deploy to production! News on Share.Exponential.earth and LinkedIn

Checkout the open source project product websites from 7x.

• exponential.earth
• basic.exponential.earth
• platform.exponential.earth
• share.exponential.earth

7x has been very busy with the release preparations for the first release of the rebranded Exponential 6.0.10 (Formerly eZ Publish 6.0).

We have some nice improvements to the core, debug output css, rebranded package source code nice and stable for active development and use! Try Exponential 6 today!

Download today and install, test, deploy to production! News on LinkedIn by 7x and Graham Brookins. News on Share.Exponential.earth

Checkout the open source project product websites from 7x.

• exponential.earth
• basic.exponential.earth
• platform.exponential.earth