By fuzzing endpoints like `/app_dev.php` and /app_dev.php/_profiler, you can uncover sensitive information such as profiler tokens, database credentials, and server configurations. The symfony web profiler component exposes very sensitive information and provides dangerous features that can be abused by attackers to retrieve application files. This vulnerability enables attackers to remotely access the symfony /_profiler in configurations where such access would typically be restricted, as the dev environment activates debugging tools by default. Today i’ll explain how i found multiple vulnerabilities on a web application that used the symfony web framework where symfony profiler/debug mode was enabled. Potential for remote code execution Browse the /_profiler url to see all profiles
To limit the storage used by profiles on disk, they are probabilistically removed after 2 days When using the development environment (with the debug bar) the profiler already includes a phpinfo page Access /app_dev.php/_profiler/phpinfo or use the view full php configuration link in the configuration panel of the profiler. This tutorial demonstrates how to display php information using phpinfo in symfony 7 To create a dedicated route for displaying php information, we can use the symfony routing system and the phpinfo function. To do it we have to find the app_secret first
But there’s no app_secret here The second method is via ssrf, but we can’t use it.
OPEN
