- Hello . Today I’ll explain how I found multiple vulnerabilites on a web app that used the Symfony Web Framwork where Symfony prolier/debug mode was enabled
**Understanding Symfony profiler & Debug component
- Symfony web framework has a feature called Symfony Profiler
- This profiler component can only be used when the debug mode is enabled (twist)
- The Symfony web framework is much more secure , but enabling debug mode will make this framework extremely vulnerable
- The symfony web proiler component expose sensitive information of the web application
— Why do devs enable Debug Component ?
- The Debug component provided tools ease debugging PHP code
- Symfony provides three environemts by default called dev,test, and prod
- Symfony highly recommends disabling profiler tools in the production environment
How I found vulns (Step by step)
- Let’s assume the target site is https://test.com . But the bug is of the subdomain
- First check what web technologies
- Use Wappalyzer
- Then I proceed FFUF . I tried to fuzz the target using FFUF. I have found an interesting file which is “app_dev.php”(it indicates there might be Debug mode for Symfony is enabled)
- Let’s check it on the browser. Whenever I browsed “https://sub.test.com/app_dev.php” , found debug mode is enabled and got a profiler token to access Symfony Profiler. Also , I got the phpinfo file location
- Until now , the severity of my findings is Medium. I knew Symfony Debug toolbar allow reading files that could
- So I find an endpoint app/config/parameters.yml. I found Symfony version 3.4 version . It containts mail server and database
IMPACT:
The impact of exposed credentials has a wide range of consequenses because those credentials can be used in data breaches
Mitigation
Disable the debug mode by setting APP_DEBUG to false . Debug mode should be disabled in the production environment