SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)

# Exploit Title: SensioLabs Symfony version 3.3.6 - Cross-Site Scripting (Reflect)
# Date: 08-06-2018
# Software Link: https://symfony.com/
# Exploit Author: HaMM0nz (Chakrit S.), a member of KPMG Cyber Security team in Thailand
# CVE: CVE-2018-12040
# Category: webapps

1. Description

Symfony is a set of PHP Components, a Web Application framework, a Philosophy, and a Community  all working together in harmony. (Copied from homepage.)

2. Proof of Concept

1. Navigate to http://www.example.com/_profiler/ , by default the credential is not required to access this component.
2. Insert any non-existence path in the website for example, a random path is "http://www.example.com/qwertyuio".
3. In the Symfony profiler navigate to the row with HTTP response code "404" and click to the "Token" link in page.
4. Go to Exception pane and follow the any link in the page e.g. "vendor/symfony/symfony/src/Symfony/Component/HttpKernel/EventListener/RouterListener.php"
5. Inject <script>alert("XSS")</script> into "file" parameter , the PoC exploit will be "http://www.example.com/_profiler/open?file=<script>alert("XSS")</script>".

3. Timeline

3.1 Discovery and report - 5 June 2018.
3.2 CVE ID was assigned - 8 June 2018.
3.3 Public - 8 June 2018.

4. Solution

Upgrade the Symfony to the version 4.1 or higher.