Tìm những bug trên Symfony

rei_hunt
3 min readJan 27, 2022

--

Cre:How I was able to find multiple vulnerabilities of a Symfony Web Framework web application | by Abid Ahmad | Jan, 2022 | Medium

  • Hello . Today I’ll explain how I found multiple vulnerabilites on a web app that used the Symfony Web Framwork where Symfony prolier/debug mode was enabled

**Understanding Symfony profiler & Debug component

  • Symfony web framework has a feature called Symfony Profiler
  • This profiler component can only be used when the debug mode is enabled (twist)
  • The Symfony web framework is much more secure , but enabling debug mode will make this framework extremely vulnerable
  • The symfony web proiler component expose sensitive information of the web application

— Why do devs enable Debug Component ?

  • The Debug component provided tools ease debugging PHP code
  • Symfony provides three environemts by default called dev,test, and prod
  • Symfony highly recommends disabling profiler tools in the production environment

How I found vulns (Step by step)

  • Let’s assume the target site is https://test.com . But the bug is of the subdomain
  • First check what web technologies
  • Use Wappalyzer
  • Then I proceed FFUF . I tried to fuzz the target using FFUF. I have found an interesting file which is “app_dev.php”(it indicates there might be Debug mode for Symfony is enabled)
  • Let’s check it on the browser. Whenever I browsed “https://sub.test.com/app_dev.php” , found debug mode is enabled and got a profiler token to access Symfony Profiler. Also , I got the phpinfo file location
  • Until now , the severity of my findings is Medium. I knew Symfony Debug toolbar allow reading files that could
  • So I find an endpoint app/config/parameters.yml. I found Symfony version 3.4 version . It containts mail server and database

IMPACT:

The impact of exposed credentials has a wide range of consequenses because those credentials can be used in data breaches

Mitigation

Disable the debug mode by setting APP_DEBUG to false . Debug mode should be disabled in the production environment

--

--