Skip to main content

Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution

Illustration of Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution
Jakub Żoczek

During a security audit, a web application using an outdated version of the Symfony framework was identified. The analysis revealed the presence of the Symfony Profiler tool, which is commonly used for debugging applications during development.

The Profiler provides detailed information about the application’s operation, which is useful for developers. However, in a production environment, its availability can lead to the disclosure of sensitive information and, in some cases, remote code execution on the server.

Access to the Symfony Profiler Tool

Accessing the Symfony Profiler is possible by navigating to the /app_dev.php endpoint on the server. Upon accessing the page, a toolbar appears, providing access to various diagnostic features, as shown in the screenshot below:

Screenshot 1

Sensitive Information Accessible in the Profiler

The Profiler can expose a wide range of information about the application, including:

  • PHP configuration details through the phpinfo() function:

Screenshot 2

  • Error details generated during HTTP requests:

Screenshot 3

  • Contents of configuration files, including files containing access credentials or secret tokens:

Screenshot 4

Remote Code Execution

In critical cases, the availability of the Symfony Profiler can allow an attacker to extract a secret token from the configuration files. This token can then be used to exploit another Symfony feature – the /_fragment endpoint. By leveraging this mechanism, an attacker can achieve remote code execution (RCE) on the server.

An exploit demonstrating this attack is publicly available in the following repository: https://github.com/ambionics/symfony-exploits.

After successful exploitation, remote code execution can be confirmed by a result displayed in the browser:

Screenshot 5

Audit Findings in Other Applications

During the audit, other web applications with the Symfony Profiler enabled were also identified. However, in these cases, the attack described above could not be successfully executed. Despite the inability to escalate the issue to full RCE, the presence of the Profiler in a production environment still poses a significant security risk.

Recommendations

To secure web applications against this attack vector, the following steps are recommended:

  1. Disable access to the Symfony Profiler in production environments.
  2. Upgrade the Symfony framework to the latest stable version.
  3. Ensure unique “secret” tokens are used for each application instance.
  4. Perform regular security audits to identify potential configuration issues.

Implementing these recommendations can significantly reduce the risk of sensitive data exposure and potential attacks leading to remote code execution on production servers.

Other Insights

Illustration of Session Fixation: A „Hidden Threat” to Web Application Security

Session Fixation: A „Hidden Threat” to Web Application Security

Marcin Zięba

Session fixation is a security vulnerability that occurs when an attacker forces a legitimate user to utilize a predetermined session identifier (session ID). This allows the attacker to hijack the session and impersonate the victim once they authenticate with the web application. The vulnerability arises when an application fails to properly regenerate a new session ID upon user authentication, thereby continuing to use the preexisting session ID provided by the attacker. Common attack vectors include injecting the session ID through URL parameters, cookies, or hidden form fields.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us