By fuzzing endpoints like `/app_dev.php` and /app_dev.php/_profiler, you can uncover sensitive information such as profiler tokens, database credentials, and server configurations. But thereβs no app_secret here The symfony web profiler component exposes very sensitive information and provides dangerous features that can be abused by attackers to retrieve application files.
ππΆπ―π’ ππ’π£πΊ β (@lunababyy69) β’ Instagram photos and videos
This vulnerability enables attackers to remotely access the symfony /_profiler in configurations where such access would typically be restricted, as the dev environment activates debugging tools by default.
Today iβll explain how i found multiple vulnerabilities on a web application that used the symfony web framework where symfony profiler/debug mode was enabled.
Potential for remote code execution Browse the /_profiler url to see all profiles To limit the storage used by profiles on disk, they are probabilistically removed after 2 days When using the development environment (with the debug bar) the profiler already includes a phpinfo page
Access /app_dev.php/_profiler/phpinfo or use the view full php configuration link in the configuration panel of the profiler. This tutorial demonstrates how to display php information using phpinfo in symfony 7 To create a dedicated route for displaying php information, we can use the symfony routing system and the phpinfo function. To do it we have to find the app_secret first
We can read php info on /_profiler/phpinfo
