From the Symfony advisory:
CVE-2012-6431: On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.
CVE-2012-6432: For handling ESIs (via the render tag), Symfony uses a special route named _internal, defined in @FrameworkBundle/Resources/config/routing/internal.xml.
As of Symfony 2.1, the internal routing file defines an additional route, _internal_public, to be able to manage HIncludes (also via the render tag).
As the _internal route must only be used to route URLs between your PHP application and a reverse proxy, it must be secured to avoid any access from a browser. But the _internal_public route must always be available from a browser as it should be reachable by your frontend JavaScript (of course only if you are using HIncludes in your application).
These two routes execute the same FrameworkBundle:Internal:index controller which in turn executes the controller passed as an argument in the URL. If these routes are reachable by a browser, an attacker could call them to execute protected controllers or any other service (as a controller can also be defined as a service). | 