Nette security bug CVE-2020-15227

October 21, 2020

Lang: cs en de es

A security bug has been discovered in the popular PHP framework Nette for web applications. How to secure your application or server? In this article, you will find out what are the different options for fixing or additional server security.

Read the official statement of the discovered security flaw in the article First vulnerability discovered in Nette, update! by the author of the Nette framework. The best solution, and one that is also very easy to do, is to update the version of the Nette framework and the security problem will disappear. The change that the update comes with does not affect the functionality, so it is a really simple and safe task.


How is this security hole dangerous? Anyone who knows HTML, JavaScript or can script in BASH, can perform an XSS injection or read the source files, including configuration and database access, and thus download all the data.

Nette version control

If you are running multiple applications you may also want to bulk check that you have a version of Nette installed that contains the patch. The bug is in a package called nette/application. For a list of currently installed packages, including version information, see composer.loc So you can use the following command to get a listing of the versions of all installed nette/application packages:

    grep -r '"name": "nette/application"' */composer.lock -A1
If you are using Nette version 3 you should have v3.0.6 installed.

Checking logs

Unix programs log what happens. So does the web sever. The logs are located in the /var/log/apache2 directory if you are using web Apache server on debian-like distributions, in the /var/log/httpd directory in RPM base distributions. IF you use web server Nginx, the logs are in a directory in /var/log/nginx.

The following command:

    grep -r callback /var/log/apache2
to get the log entries that test whether the web application is vulnerable.

From what I've seen of the logs, the bots are testing different sites, while they can guess from the HTTP response if the web application is using the Nette framework.

Fix bug

If you don't use composer to update packages or don't want to download the archive with Nette, there are other ways to bug to fix it.


If you use composer, which you should! To update the libraries, use the command:

    composer update

Bug fix script

You can use a script that uses Unix utilities to fix source code bash script to fix Nette. Or a PHP script that also fixes Nette. The repair process can be much faster there. But beware that if you make a change, you won't run the original version of the library that fixes doesn't fix.

Disabling URLs

To perform an attack, you need to specify a specific URL. Both Apache and Nginx web servers allow you to apply rules to the URL. So it is possible to create a rule on that specific URL that will block the URL directly at the web-server level.

Enhancing security

You can also increase security in general by reducing the allowed features on the webserver. You can modify the PHP configuration, which is in the php.ini file. Just add the following line:

And at least you will limit some types of attacks. But at the same time, it may limit some applications that need to use them.


For example, web hosting wedos dynamically blocks completely HTTP/HTTPS web traffic for a certain house just about ports 80 and 443, and thus cuts the visitor off from all the sites it hosts, and therefore other customers, even though they may have a site on a different technology or patched. They also cut off access to their main corporate site. And since they probably block it by IP, they make the sites at their site inaccessible to all people who are NAT'd for the same IP.


New information regarding cve-2020-15227 can be found on the Nette forums.

Articles on a similar topic

Python program to control Docker using the API
How to use MailCatcher to test emails
Python OpenAI API
Creating a WebSocket web application and setting up a proxy
Project management: agile software development
How to run old PHP applications
What a good programmer should know
Rust programming language
NodeJS: development, server configuration
REST API: platform API
Custom web and mail hosting with ISP Config software
Programming in SQL: PostgreSQL, MySQL/MariaDB
HTTPS: secure web
NoSQL database Mongo DB
Connecting to Microsoft SQL Server from Linux
What is the job description of a programmer
Python application localization
Which mail and web hosting to choose
Digispark - Program Atmel ATtiny microcontroller with Arduino IDE
Development for ARM processors with Arduino IDE
How to program the ESP8266 WiFi processor
Open smartphone with Linux - Openmoko Neo FreeRunner


If you are interested in receiving occasional news by email.
You can register by filling in your email news subscription.