7x Releases 7x SymfonyOne v1.5.0.2 — The Symfony v1 Drop-In Framework Security Upgrade! Update Now!

(Critical security fixes for all Symfony 1.x installations — upgrade from Symfony 1.4.x immediately)

7x is urgently pleased to announce the release of 7x SymfonyOne v1.5.0.2 to developers and users worldwide. This is a security release. It patches four vulnerabilities in the Symfony One framework core — including a Critical-severity remote code execution vector inherited from all versions of Symfony 1.4.x — and hardens the framework against CSRF token forgery and code injection. If you are running any version of Symfony 1.4.x or an earlier 1.5.0.x release, you should upgrade immediately.

Read the full GitHub release notes and the updated RELEASE_NOTES.md for complete technical details on every fix.

Why This Release Matters — The Symfony 1.4.x Security Debt

Symfony 1.4.x reached end-of-life in November 2012. No security patches have been issued by the upstream project in over a decade. Every vulnerability fixed in this release has been present and unpatched in Symfony 1.4.x for years. The four fixes shipped in v1.5.0.2 address issues that were always in the codebase — they were simply never found, never reported, or reported and never fixed upstream because the project was no longer maintained.

If your application is running Symfony 1.4.x on a public server today, it is exposed to every one of these vulnerabilities right now.

Security Fixes in v1.5.0.2

• YAML PHP Object Injection — Critical (RCE) — The YAML parser honoured the

  !!php/object:

  tag, passing attacker-controlled data directly to

  unserialize()

  . This is the same class of vulnerability as CVE-2024-28859. Using publicly available gadget-chain tooling (phpggc), an attacker who can influence any YAML the application parses — through a file upload, a form field, a remote API response, or an injected config value — can achieve arbitrary remote code execution without any zero-day exploit. The gadget classes are already bundled with the framework: Swift Mailer, Doctrine 1.x, and Propel 1.x all ship exploitable chains. Fixed: the

  !!php/object:

  tag now throws an exception unconditionally. PHP object deserialization from YAML is permanently disabled.
• CSRF Token Timing Attack — High — The CSRF token validator compared submitted tokens using PHP's

  !=

  operator, which short-circuits on the first differing byte. This leaks timing information that enables byte-by-byte brute-force of a CSRF token, defeating the primary defence against Cross-Site Request Forgery. A successful CSRF attack lets an attacker trigger any authenticated state-changing action — account changes, data deletion, fund transfers — by tricking a logged-in user into visiting a malicious page. Fixed: replaced with PHP's

  hash_equals()

  for constant-time comparison.
• Weak CSRF Token Generation — Medium — CSRF tokens were generated using

  md5()

  with simple string concatenation. MD5 is a cryptographically broken hash function, vulnerable to preimage attacks and length extension. The construction used (secret prefix concatenation rather than HMAC) means an attacker who can observe token output may forge valid tokens without knowing the secret. Fixed: upgraded to

  hash_hmac('sha256', ...)

  , which uses the secret as a proper cryptographic key and produces 256-bit output resistant to length-extension attacks.
• eval() Injection via i18n Choice Format — Medium — The

  {n: expr}

  set notation in i18n plural strings substituted YAML translation catalogue content directly into

  eval()

  without any character-level validation. An attacker who controls translation catalogue content — through an admin interface, a writable YAML file, or a higher-level YAML injection — can inject arbitrary PHP code. Fixed: a strict allowlist regex now rejects any expression containing characters outside digits, the placeholder variable

  n

  , whitespace, and standard arithmetic and comparison operators.

Web Root Structural Improvement

This release also moves the web front controller (

index.php

) and Apache rewrite rules (

.htaccess

) from the project root into a dedicated

public/

subdirectory. Web server

DocumentRoot

(Apache) and

root

(Nginx) should now point to

public/

.

This is the layout used by every modern PHP framework (Symfony 2+, Laravel, Laminas, Slim). With

DocumentRoot

set to

public/

, the file system enforces that

lib/

,

apps/

,

vendor/

,

composer.json

,

composer.lock

, and

.git/

are never reachable over HTTP — regardless of web server access-control configuration. Previously, any misconfiguration could expose framework internals, dependency manifests, and source code directly to the internet.

Getting Started

• Download the release from GitHub.
• Review the updated INSTALL.md for Apache and Nginx virtual host configuration showing the

  public/

  DocumentRoot.
• Update your web server

  DocumentRoot

  /

  root

  from the project root to

  public/

  after upgrading.
• Run on PHP 8.4 or later for best security and stability. All PHP 8.x versions from 8.0 through 8.5.6 are supported.
• 7x SymfonyOne v1.5 is a drop-in upgrade for Symfony 1.4.x installations — review the framework requirements before upgrading and test on a staging environment first.

What's New in v1.5.0.2

• lib/yaml/sfYamlInline.php —

  !!php/object:

  YAML deserialization blocked (Critical RCE, CWE-502).
• lib/validator/sfValidatorCSRFToken.class.php — constant-time CSRF token comparison via

  hash_equals()

  (High, CWE-208).
• lib/form/sfForm.class.php — CSRF token generation upgraded from MD5 to HMAC-SHA256 (Medium, CWE-326).
• lib/i18n/sfChoiceFormat.class.php — character allowlist guard before

  eval()

  in i18n set notation (Medium, CWE-94).
• public/index.php — front controller relocated to

  public/

  subdirectory.
• public/.htaccess — Apache rewrite rules relocated to

  public/

  subdirectory.
• README.md — directory layout and DocumentRoot examples updated to reflect

  public/

  .
• INSTALL.md — all Apache and Nginx vhost examples, installation steps, security checklist, and troubleshooting updated for

  public/

  web root.
• RELEASE_NOTES.md — full v1.5.0.2 security advisory with technical detail, code diffs, and CWE references.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who reported issues and contributed. Please upgrade to 7x SymfonyOne v1.5.0.2 immediately.

7x Symfony v1.5.0.1 Now Available — The Symfony One Framework Reborn With PHP 8.x through 8.5.6 Compatibility

(Reborn for general web development and as a drop-in upgrade for Symfony 1.4.x projects)

7x is extremely pleased to announce the release of 7x Symfony v1.5.0.1 to developers and users worldwide. This is the Symfony One Framework — the continuing evolution of the original symfony 1.4 MVC web application framework — reborn with full PHP 8.x through PHP 8.5.6 compatibility. Upgraded so you can continue to use Symfony 1 as designed originally, for both new general web development projects and as a drop-in upgrade path for existing Symfony 1.4.x installations.

This v1.5.0.1 release is a documentation patch release on top of v1.5.0.0, shipping a fully rewritten README.md in the 7x standard format alongside a new, comprehensive 21-section INSTALL.md developer guide covering everything from requirements and Composer integration to PDO and ORM database setup, form validation, CLI tasks, cache management, and deployment.

All PHP 8.x versions from 8.0 through 8.5.6 are supported. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.

Read the full GitHub release notes for complete details on what is included in this release.

Getting Started

• Download the release from GitHub
• Review the new INSTALL.md guide included in the repository for full setup, configuration, and deployment instructions.
• Run on a PHP 8.4 or later environment for best results.
• 7x Symfony v1.5 is designed as a drop-in upgrade for existing Symfony 1.4.x installations — ensure your environment meets the framework requirements before upgrading.

What's New in v1.5.0.1

• README.md — renamed from the legacy plain-text README file and fully rewritten in the 7x standard format, including: project notice, project status, who is 7x, architecture overview, technology stack table, requirements matrix, quick start, full feature list, routing and action and DB code examples, CLI task reference, issue tracker, contribute, donate, copyright, and license sections.
• INSTALL.md — brand-new 21-section installation and developer guide covering: requirements, directory layout, first-time installation, Composer integration, Apache and Nginx virtual host configuration, file permissions, building a page (module, action, template, and route walkthrough), routing reference, action patterns, templates and layouts, PDO database integration with full CRUD examples, sfDoctrinePlugin ORM, sfPropelPlugin ORM, Composer packages in actions, forms and validation, lime test suite, symfony1 CLI tasks, cache management, deployment checklist, and troubleshooting Q&A.
• Privacy — removed all links to the internal private staging server from public documentation.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy 7x Symfony v1.5.0.1!

Exponential Platform DXP 2.0.0.2 Now Available (Symfony Only — New Stack — Platform v5)

(Rebooting our own Free Software community software distribution of this Very Powerful Open Source Symfony CMS Framework)
7x is extremely pleased to announce the release of Exponential Platform DXP 2.0.0.2 to users worldwide. This is a Symfony-only, new stack release built on Platform v5, featuring a brand new kernel, a rebranded design, and a clean front-end website design — along with all of your favourite classic features.

All versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.

Read the full Share announcement for complete details on what is included in this release.

Getting Started

• Download the release from GitHub or install via Composer.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.4 environment for best results.
• Check exponential.earth for packages, extensions, and composer setup instructions.
• This is a Symfony-only new stack release — ensure your environment meets the Symfony framework requirements before installing.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Release Discussion Thread — join the dedicated thread for this release to share your experience and ask questions.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy Exponential Platform DXP 2.0.0.2!

Exponential Platform DXP 1.0.0.2 Now Available (Symfony Only — New Stack — Platform v4)

7x is extremely pleased to announce the release of Exponential Platform DXP 1.0.0.2 to users worldwide. This is a Symfony-only, new stack release built on Platform v4, featuring a brand new kernel, a rebranded design, and a clean front-end website design — along with all of your favourite classic features.
All versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.
Read the full Share announcement for complete details on what is included in this release.

Getting Started

• Download the release from GitHub or install via Composer.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.4 environment for best results.
• Check exponential.earth for packages, extensions, and composer setup instructions.
• This is a Symfony-only new stack release — ensure your environment meets the Symfony framework requirements before installing.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Release Discussion Thread — join the dedicated thread for this release to share your experience and ask questions.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy Exponential Platform DXP 1.0.0.2!

Rebooting our free software community software distribution of this Very Powerful Symfony CMS Framework

7x is happy to announce that we are now releasing the newly rebranded and improved Exponential Platform 3.2.9 (Based upon eZ Platform 3.2/3.3.x Without the Legacy Bundle) available now for download, installation, upgrade.

This release is our first as Exponential Platform (3.2.x). The software is exactly the same as before as you expect it to be, with a simple text change to the software to replace the product name and remove the trademarked term.

Upgrade process for existing installations has not changed at all. New installations work as expected. Freedom for the Exponential Community is retained and stable for general use! No slowdowns here, full speed ahead! Try out the new features today by downloading the software package now available (tar.gz or zip)!

7x and Graham Brookins are proud to share the news of the release of a rebranded v3.2.9 of Exponential Platform (100% Compatible with eZ Platform 3.x).

Download it for free here at GitHub Release Page. Download it for free here at SourceForge:

Release posted here on the project website, https://platform.exponential.earth/download

Install it via PHP + Composer Package using:

composer create-project se7enxweb/exponentialplatform:v3.2.9 --ignore-platform-reqs;

Then read the rest of the installation instructions documentation, https://platform.exponential.earth/installation

We are in the process of setting up a online demo installation of the admin for testing.

This project uses the remains of the abandoned eZ Platform Software Stack licensed under GPLv2, when updated to php8+ support it resumes working as originally designed despite it's maturity and free and open framework cms values.

We believe in supporting users of legacy software stacks as first class citizens where user freedoms are exalted above the corporate desire to bind users to costly purchases just to use the core product.

Notable Changes (Since eZ Platform 3.2 for PHP7):

• Updated: Rebranding package UI assets from eZ Platform to Exponential Platform. Updated / Replaced Logos used within AdminUI.
  • Task name before, "Replacing most front facing branding of text string, 'eZ Platform', 'ezplatform' from the user facing displays in code and templates."

Open Source Project Website Content Was Expanded: https://platform.exponential.earth

To learn more about Exponential, Exponential Platform Legacy and Exponential Basic From 7x and to download the latest version please visit:
- https://exponential.earth
- https://lnkd.in/g284XiWh

To learn more about Exponential Family of CMS Software From 7x and to join the community please visit Share Exponential! @ Visit: https://lnkd.in/gdAHpy-m

7x is now offering turn key Exponential and Exponential Platform Legacy CMS Website Hosting, Design, Development, Training, Long term maintenance and support at https://lnkd.in/gvPkYU8T

Cheers,
Graham Brookins
7x
- https://platform.exponential.earth