Misconfiguration in a bottle: Symfony Profiler exposed
Char49 recently discovered a security misconfiguration on a subdomain of an American multinational corporation (Top50 on the Fortune500) website: an exposed Symfony web framework debug endpoint leaking sensitive information.
In a nutshell, exposing Symfony Profile or any other web framework debug endpoint can provide attackers with valuable information that can be used to compromise not only the affected application but also other company systems. Therefore, it is crucial to ensure that debug mode is disabled in production environments and that verbose error messages or features are not accessible to external parties.
What we did?
Symfony Profiler “is a powerful development tool that gives detailed information about the execution of any request”. If enabled it becomes accessible, by default, at /_profiler without authentication.
After confirming that Symfony Profiler was enabled and publicly accessible, by simply access its default endpoint, we’ve reviewed the latest 10 logged requests:
Since no relevant information was found, we filtered the results to see only POST requests: most login forms use the POST method to submit information. The first filtered results showed the login requests made by the company admins to access the web application.
Although best practices say that logs should not include sensitive information, usernames and passwords were found in plaintext. With this information at hand we gain administrative access to the company PIMS (Production Information Management System) back-end.
The company PIMS provides several other options and functionalities but for the sake of the proof-of-concept, we already had enough to provide to the company's security team.
Back to the Symfony Profile, we found out that other sensitive information (server parameters), such as the Okta admin secret, was being logged in plaintext. Stolen Okta parameters can provide attackers with a significant advantage, potentially enabling them to bypass authentication controls and gain access to sensitive data or systems. Once again, it is critical to protect such data and ensure that it is not exposed to unauthorized parties.
The company was quick to respond to our security advisory and took immediate action to fix the issue, proving the company's commitment towards users’ security and their responsible disclosure policy. For some reason, the company didn’t want to have their name disclosed, even after adding us to their Wall of Fame. At Char49 we respected the vendor's decision.
Vulnerabilities can exist on any website or application, no matter how mature is the organization's security posture. Although a responsible disclosure policy will make security researchers' lives easier in order to contribute to improve the organization's overall security, technical teams training and regular security audits play an important role in this equation. On the technical side of things, robust access controls, network segmentation, security defaults review, proper logging and monitoring as well as a repeatable hardening process to deploy locked down environments are mandatory.
If you’re deploying Symfony applications this is a good opportunity to check whether they follow the best practices 1, 2.
2023-03-13 Report sent to the company
2023-03-13 Company replied that they were reviewing the report
2023-03-13 Char49 sent more information regarding another disclosure
2023-03-13 Confirmation from company that the issue was valid and followed the RoE of their responsible disclosure program.
2023-03-20 Company reported the issue was fixed and added Char49 to their Wall of Fame.
2023-04-04 Full disclosure.