7x Releases 7x SymfonyOne v1.5.0.2 — The Symfony v1 Drop-In Framework Security Upgrade! Update Now!

(Critical security fixes for all Symfony 1.x installations — upgrade from Symfony 1.4.x immediately)

7x is urgently pleased to announce the release of 7x SymfonyOne v1.5.0.2 to developers and users worldwide. This is a security release. It patches four vulnerabilities in the Symfony One framework core — including a Critical-severity remote code execution vector inherited from all versions of Symfony 1.4.x — and hardens the framework against CSRF token forgery and code injection. If you are running any version of Symfony 1.4.x or an earlier 1.5.0.x release, you should upgrade immediately.

Read the full GitHub release notes and the updated RELEASE_NOTES.md for complete technical details on every fix.

Why This Release Matters — The Symfony 1.4.x Security Debt

Symfony 1.4.x reached end-of-life in November 2012. No security patches have been issued by the upstream project in over a decade. Every vulnerability fixed in this release has been present and unpatched in Symfony 1.4.x for years. The four fixes shipped in v1.5.0.2 address issues that were always in the codebase — they were simply never found, never reported, or reported and never fixed upstream because the project was no longer maintained.

If your application is running Symfony 1.4.x on a public server today, it is exposed to every one of these vulnerabilities right now.

Security Fixes in v1.5.0.2

• YAML PHP Object Injection — Critical (RCE) — The YAML parser honoured the

  !!php/object:

  tag, passing attacker-controlled data directly to

  unserialize()

  . This is the same class of vulnerability as CVE-2024-28859. Using publicly available gadget-chain tooling (phpggc), an attacker who can influence any YAML the application parses — through a file upload, a form field, a remote API response, or an injected config value — can achieve arbitrary remote code execution without any zero-day exploit. The gadget classes are already bundled with the framework: Swift Mailer, Doctrine 1.x, and Propel 1.x all ship exploitable chains. Fixed: the

  !!php/object:

  tag now throws an exception unconditionally. PHP object deserialization from YAML is permanently disabled.
• CSRF Token Timing Attack — High — The CSRF token validator compared submitted tokens using PHP's

  !=

  operator, which short-circuits on the first differing byte. This leaks timing information that enables byte-by-byte brute-force of a CSRF token, defeating the primary defence against Cross-Site Request Forgery. A successful CSRF attack lets an attacker trigger any authenticated state-changing action — account changes, data deletion, fund transfers — by tricking a logged-in user into visiting a malicious page. Fixed: replaced with PHP's

  hash_equals()

  for constant-time comparison.
• Weak CSRF Token Generation — Medium — CSRF tokens were generated using

  md5()

  with simple string concatenation. MD5 is a cryptographically broken hash function, vulnerable to preimage attacks and length extension. The construction used (secret prefix concatenation rather than HMAC) means an attacker who can observe token output may forge valid tokens without knowing the secret. Fixed: upgraded to

  hash_hmac('sha256', ...)

  , which uses the secret as a proper cryptographic key and produces 256-bit output resistant to length-extension attacks.
• eval() Injection via i18n Choice Format — Medium — The

  {n: expr}

  set notation in i18n plural strings substituted YAML translation catalogue content directly into

  eval()

  without any character-level validation. An attacker who controls translation catalogue content — through an admin interface, a writable YAML file, or a higher-level YAML injection — can inject arbitrary PHP code. Fixed: a strict allowlist regex now rejects any expression containing characters outside digits, the placeholder variable

  n

  , whitespace, and standard arithmetic and comparison operators.

Web Root Structural Improvement

This release also moves the web front controller (

index.php

) and Apache rewrite rules (

.htaccess

) from the project root into a dedicated

public/

subdirectory. Web server

DocumentRoot

(Apache) and

root

(Nginx) should now point to

public/

.

This is the layout used by every modern PHP framework (Symfony 2+, Laravel, Laminas, Slim). With

DocumentRoot

set to

public/

, the file system enforces that

lib/

,

apps/

,

vendor/

,

composer.json

,

composer.lock

, and

.git/

are never reachable over HTTP — regardless of web server access-control configuration. Previously, any misconfiguration could expose framework internals, dependency manifests, and source code directly to the internet.

Getting Started

• Download the release from GitHub.
• Review the updated INSTALL.md for Apache and Nginx virtual host configuration showing the

  public/

  DocumentRoot.
• Update your web server

  DocumentRoot

  /

  root

  from the project root to

  public/

  after upgrading.
• Run on PHP 8.4 or later for best security and stability. All PHP 8.x versions from 8.0 through 8.5.6 are supported.
• 7x SymfonyOne v1.5 is a drop-in upgrade for Symfony 1.4.x installations — review the framework requirements before upgrading and test on a staging environment first.

What's New in v1.5.0.2

• lib/yaml/sfYamlInline.php —

  !!php/object:

  YAML deserialization blocked (Critical RCE, CWE-502).
• lib/validator/sfValidatorCSRFToken.class.php — constant-time CSRF token comparison via

  hash_equals()

  (High, CWE-208).
• lib/form/sfForm.class.php — CSRF token generation upgraded from MD5 to HMAC-SHA256 (Medium, CWE-326).
• lib/i18n/sfChoiceFormat.class.php — character allowlist guard before

  eval()

  in i18n set notation (Medium, CWE-94).
• public/index.php — front controller relocated to

  public/

  subdirectory.
• public/.htaccess — Apache rewrite rules relocated to

  public/

  subdirectory.
• README.md — directory layout and DocumentRoot examples updated to reflect

  public/

  .
• INSTALL.md — all Apache and Nginx vhost examples, installation steps, security checklist, and troubleshooting updated for

  public/

  web root.
• RELEASE_NOTES.md — full v1.5.0.2 security advisory with technical detail, code diffs, and CWE references.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who reported issues and contributed. Please upgrade to 7x SymfonyOne v1.5.0.2 immediately.

7x Symfony v1.5.0.1 Now Available — The Symfony One Framework Reborn With PHP 8.x through 8.5.6 Compatibility

(Reborn for general web development and as a drop-in upgrade for Symfony 1.4.x projects)

7x is extremely pleased to announce the release of 7x Symfony v1.5.0.1 to developers and users worldwide. This is the Symfony One Framework — the continuing evolution of the original symfony 1.4 MVC web application framework — reborn with full PHP 8.x through PHP 8.5.6 compatibility. Upgraded so you can continue to use Symfony 1 as designed originally, for both new general web development projects and as a drop-in upgrade path for existing Symfony 1.4.x installations.

This v1.5.0.1 release is a documentation patch release on top of v1.5.0.0, shipping a fully rewritten README.md in the 7x standard format alongside a new, comprehensive 21-section INSTALL.md developer guide covering everything from requirements and Composer integration to PDO and ORM database setup, form validation, CLI tasks, cache management, and deployment.

All PHP 8.x versions from 8.0 through 8.5.6 are supported. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.

Read the full GitHub release notes for complete details on what is included in this release.

Getting Started

• Download the release from GitHub
• Review the new INSTALL.md guide included in the repository for full setup, configuration, and deployment instructions.
• Run on a PHP 8.4 or later environment for best results.
• 7x Symfony v1.5 is designed as a drop-in upgrade for existing Symfony 1.4.x installations — ensure your environment meets the framework requirements before upgrading.

What's New in v1.5.0.1

• README.md — renamed from the legacy plain-text README file and fully rewritten in the 7x standard format, including: project notice, project status, who is 7x, architecture overview, technology stack table, requirements matrix, quick start, full feature list, routing and action and DB code examples, CLI task reference, issue tracker, contribute, donate, copyright, and license sections.
• INSTALL.md — brand-new 21-section installation and developer guide covering: requirements, directory layout, first-time installation, Composer integration, Apache and Nginx virtual host configuration, file permissions, building a page (module, action, template, and route walkthrough), routing reference, action patterns, templates and layouts, PDO database integration with full CRUD examples, sfDoctrinePlugin ORM, sfPropelPlugin ORM, Composer packages in actions, forms and validation, lime test suite, symfony1 CLI tasks, cache management, deployment checklist, and troubleshooting Q&A.
• Privacy — removed all links to the internal private staging server from public documentation.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• GitHub Discussions — join the dedicated discussion thread for this release to share your experience and ask questions.
• GitHub Issues — report bugs or track known issues directly on the repository.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy 7x Symfony v1.5.0.1!

Exponential Platform DXP 2.0.0.2 Now Available (Symfony Only — New Stack — Platform v5)

(Rebooting our own Free Software community software distribution of this Very Powerful Open Source Symfony CMS Framework)
7x is extremely pleased to announce the release of Exponential Platform DXP 2.0.0.2 to users worldwide. This is a Symfony-only, new stack release built on Platform v5, featuring a brand new kernel, a rebranded design, and a clean front-end website design — along with all of your favourite classic features.

All versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.

Read the full Share announcement for complete details on what is included in this release.

Getting Started

• Download the release from GitHub or install via Composer.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.4 environment for best results.
• Check exponential.earth for packages, extensions, and composer setup instructions.
• This is a Symfony-only new stack release — ensure your environment meets the Symfony framework requirements before installing.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Release Discussion Thread — join the dedicated thread for this release to share your experience and ask questions.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy Exponential Platform DXP 2.0.0.2!

Exponential Platform DXP 1.0.0.2 Now Available (Symfony Only — New Stack — Platform v4)

7x is extremely pleased to announce the release of Exponential Platform DXP 1.0.0.2 to users worldwide. This is a Symfony-only, new stack release built on Platform v4, featuring a brand new kernel, a rebranded design, and a clean front-end website design — along with all of your favourite classic features.
All versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.4 or later for the best security and stability.
Read the full Share announcement for complete details on what is included in this release.

Getting Started

• Download the release from GitHub or install via Composer.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.4 environment for best results.
• Check exponential.earth for packages, extensions, and composer setup instructions.
• This is a Symfony-only new stack release — ensure your environment meets the Symfony framework requirements before installing.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Release Discussion Thread — join the dedicated thread for this release to share your experience and ask questions.
• Share — Community Forums — browse existing threads and post new questions.
• Telegram — @exponentialcms — real-time help and community discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy Exponential Platform DXP 1.0.0.2!

Exponential Platform Legacy 3.3.44.7, 4.6.23.2 and 5.0.2 Now Available

We are extremely pleased to announce the latest wave of releases for Exponential Platform Legacy — versions 3.3.44.7, 4.6.23.2, and 5.0.2 — now available to users worldwide.
These releases bring a brand new kernel, a responsive admin design, a responsive front-end website design, and all of the classic features you know and love — updated and polished for today's web.
All three versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.3 or later for the best security and stability.
Read the full release notes on Share: v3.3.44.7, v4.6.23.2 and v5.0.2.

Getting Started

• Download the latest release from GitHub.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.3 environment for best results.
• Check the get.exponential.earth site for packages, extensions, and composer setup instructions.
• Explore the bundled responsive designs — exp, foundation, and admin4 — to get your site up and running quickly.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Community Forums — post questions, share projects, and browse existing threads.
• Telegram — @exponentialcms — join our active Telegram group for real-time help and discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy the new releases!

Exponential Platform Nexus 1.1.0.7, 1.2.0.0 and 1.3.0.3 Now Available

7x is extremely pleased to announce the wave of releases for Exponential Platform Nexus — versions 1.1.0.7, 1.2.0.0, and 1.3.0.3 — now available to users worldwide.
These releases bring a brand new kernel, a responsive admin design, a responsive front-end website design, and all of the classic features you know and love — updated and polished for today's web.
All three versions support PHP 8.1 through 8.5. We strongly encourage you to run on PHP 8.3 or later for the best security and stability.
Read the full release notes on Share: v1.1.0.7, v1.2.0.0 and v1.3.0.3.

Getting Started

• Download the latest release from GitHub.
• Review the installation guide and requirements included in the repository doc/ folder.
• Run on a clean PHP 8.3 environment for best results.
• Check the exponential.earth site for packages, extensions, and composer setup instructions.
• Explore the bundled responsive designs — exp, foundation, and admin4 — to get your site up and running quickly.

Get Support

The community is here to help. Join the conversation and get quick answers through any of the following channels:

• Share — Community Forums — post questions, share projects, and browse existing threads.
• Telegram — @exponentialcms — join our active Telegram group for real-time help and discussion.
• GitHub Issues — report bugs or track known issues directly on the repository.

Thank you to everyone in the community who tested, reported issues, and contributed. Enjoy the new releases!

7x and Graham Brookins are proud to share the news of the release of a major new web app development system called Exponential Platform Nexus v1.x (100% Compatible with eZ Publish Platfom 5.x & eZ Platform Legacy 2.5).

Download it for free here at GitHub: https://github.com/se7enxweb/exponential-platform-nexus/releases/tag/v1.0.0.0.3

https://github.com/se7enxweb/exponential-platform-nexus/archive/refs/tags/v1.0.0.0.3.zip

Download it for free here at SourceForge: https://sourceforge.net/projects/exponential-platform-nexus/files/v1.0.0.0.3/v1.0.0.0.3%20source%20code.zip/download

Release posted here on the project website, https://platform.exponential.earth/download

Install it via PHP + Composer Package using:

# composer require se7enxweb/exponential-platform-nexus:v1.0.0.0.3 --ignore-platform-reqs;

Installation instructions documentation, https://platform.exponential.earth/installation

Free Online Demo of this software including the AdminUI, https://platform.exponential.earth/about/demo

This project uses the remains of the abandoned eZ Publish Platform Software Stack licensed under GPLv2, when updated to php8+ support it resumes working as originally designed despite it's maturity and free and open framework cms values.

We believe in supporting users of legacy software stacks as first class citizens where user freedoms are exalted above the corporate desire to bind users to costly purchases just to use the core product.

Notable Changes (Since Exponential Platform Legacy 2.5.0.1 for PHP 8):
   Updated: Rebranding package UI assets from eZ Platform to Exponential Platform. Updated / Replaced Logos used within AdminUI.
       Task name before, "Replacing most front facing branding of text string, 'eZ Platform', 'ezplatform' from the user facing displays in code and templates."
   Updated: Bugfix to core distribution app/config/config.yml and composer.json rules which fix content tree browse feature in AdminUI.

Open Source Project Website Content Expanded: https://platform.exponential.earth

To learn more about Exponential, Exponential Platform Legacy and Exponential Basic From 7x and to download the latest version please visit:
- https://exponential.earth
- https://platform.exponential.earth

To learn more about Exponential Family of CMS Software From 7x and to join the community please visit Share Exponential! @ Visit: https://lnkd.in/gdAHpy-m

7x is now offering turn key Exponential and Exponential Platform Legacy CMS Website Hosting, Design, Development, Training, Long term maintenance and support at https://lnkd.in/gvPkYU8T

Cheers,
Graham Brookins
7x

7x and Graham Brookins are proud to share the news of the release of a rebranded v2.5.0.1 of Exponential Platform Legacy (100% Compatible with eZ Publish Platfom 5.x & eZ Platform Legacy 2.5).

Download it for free here at GitHub: https://github.com/se7enxweb/exponential-platform-legacy/releases/tag/v2.5.0.1
https://github.com/se7enxweb/exponential-platform-legacy/archive/refs/tags/v2.5.0.1.zip

Download it for free here at SourceForge: https://sourceforge.net/projects/exponentialplatformlegacy/files/v2.5.0.1/v2.5.0.1%20source%20code.zip/download

Release posted here on the project website, https://platform.exponential.earth/download

Install it via PHP + Composer Package using:

# composer require se7enxweb/exponentialplatformlegacy:v2.5.0.1 --ignore-platform-reqs;

Installation instructions documentation, https://platform.exponential.earth/installation

Free Online Demo of this software including the AdminUI, https://platform.exponential.earth/about/demo

This project uses the remains of the abandoned eZ Publish Platform Software Stack licensed under GPLv2, when updated to php8+ support it resumes working as originally designed despite it's maturity and free and open framework cms values.

We believe in supporting users of legacy software stacks as first class citizens where user freedoms are exalted above the corporate desire to bind users to costly purchases just to use the core product.

Notable Changes (Since eZ Platform Legacy 2.5.0.0 for PHP8):
   Updated: Rebranding package UI assets from eZ Platform to Exponential Platform. Updated / Replaced Logos used within AdminUI.
       Task name before, "Replacing most front facing branding of text string, 'eZ Platform', 'ezplatform' from the user facing displays in code and templates."
   Updated: Bugfix to core distribution app/config/config.yml and composer.json rules which fix content tree browse feature in AdminUI.

Open Source Project Website Content Expanded: https://platform.exponential.earth

To learn more about Exponential, Exponential Platform Legacy and Exponential Basic From 7x and to download the latest version please visit:
- https://exponential.earth
- https://lnkd.in/g284XiWh

To learn more about Exponential Family of CMS Software From 7x and to join the community please visit Share Exponential! @ Visit: https://lnkd.in/gdAHpy-m

7x is now offering turn key Exponential and Exponential Platform Legacy CMS Website Hosting, Design, Development, Training, Long term maintenance and support at https://lnkd.in/gvPkYU8T

Cheers,
Graham Brookins
7x
- https://platform.exponential.earth