bi-smi llāhi r-raḥmāni r-raḥīmi (In the name of Allah, most gracious and most merciful)
Hello! beautiful people,
I’m Abid Ahmad, Cyber Security Student & Ethical Hacker. Today I’ll explain how I found multiple vulnerabilities on a web application that used the Symfony Web Framework where Symfony profiler/debug mode was enabled.
Symfony web framework has a feature called Symfony Profiler. This profiler component can only be used when the debug mode is enabled. Here is the twist. The Symfony web framework is much more secure, but enabling debug mode will make this framework extremely vulnerable. The symfony web profiler component exposes sensitive information of the web application that attackers can abuse.
The Debug component provides tools to ease debugging PHP code. It offers several tools to help debugging PHP code. This component helps developer a lot in the development stage. Symfony provides three environments by default called dev, test, and prod (production). Symfony highly recommends disabling profiler tools in the production environment. But sometimes, developers forget about it and make the web application vulnerable.
Then I proceed to the asset discovery phase. Initially, I tried to fuzz directories using FFUF. I have found an interesting file which is “app_dev.php”. It indicates there might be Debug mode for Symfony is enabled.
Let’s check it on the browser. Whenever I browsed “https://sub.redacted.com/app_dev.php”, found debug mode is enabled and got a profiler token to access Symfony Profiler. Also, I got the phpinfo file location.
Until now, the severity of my finding is Medium. I knew Symfony Debug toolbars allow reading files that could expose sensitive information. So, I tried to dig more to increase the severity. Then I researched some articles and read Symfony web framework documentation. I found Symfony version 3.4 database default configuration file location, which is app/config/parameters.yml
So I tried to open configuration file and Boom. I have found database and mail server credentials.
The impact of exposed credentials has a wide range of consequences because those credentials can be used in data breaches, system compromises, loss of brand reputation, as well as financial losses.
Disable the debug mode by setting APP_DEBUG to false. Debug mode should be disabled in the production environment.
If you found a web application that uses the Symfony web framework, do not forget to check debug mode and profiler. It might be developer forget to disable it.