Researcher’s methods rely on misconfigured servers – but these are easy to find

Symfony-based websites open to RCE attack, research finds

A feature in Symfony, a popular open source framework for building PHP applications, could expose websites to remote code execution (RCE) if configured improperly, a security researcher has found.

Attackers could exploit the feature, which allows browsers to download fragments of web pages, to run arbitrary commands on the Symfony server.

Breaking the secret

Symfony servers support a /_fragment command that allows clients to provide custom PHP commands and return the HTML output. To prevent misuse, Symfony requires requesters to sign their messages with a cryptographic key stored on the server.

Ambionics’ Charles Fol, who detailed the attacks on Symfony servers in a blog post, found that attackers could use multiple methods to bypass the security check.

For instance, some Symfony debug toolbars contain file-read vulnerabilities, which can be exploited to read the configuration file on the server and obtain the secret.

And in some versions of Symfony, the secret is stored in the environment variable ($_ENV) and can be exposed through Symfony’s profiler tool.

Finally, older versions of the framework drop the security check if the fragment request comes from localhost, so attackers could bypass it if they managed to stage server-side request forgery (SSRF) or IP spoofing.

Read more of the latest security vulnerability news

All of these methods rely on Symfony servers being misconfigured – an all too common problem, according to Fol.

For instance, the Symfony profiler tool should be disabled on production servers, “but devs forget to disable it or make it available using another file,” he told The Daily Swig.

“Also, oftentimes, developers use phpinfo() as a way to check if the server is running properly, so we might reach this function without having the profiler enabled.”

Furthermore, some older versions of Symfony contain default key values, which developers often leave unchanged. And some of the platforms built on top of Symfony, such as eZPublish and Bolt, use their own default values for the secret.

“Developers build custom websites on Symfony with a default key, either because they setup an old version of Symfony, or because they copied a config file from a tutorial, and old website, etc,” Fol said.

Executing arbitrary commands

Once attackers obtain the cryptographic key, they can use it to sign and send arbitrary commands to the Symfony server.

In his post, Fol showed how /_fragment could be exploited to call the System() function, which allows the execution of system commands on the server.

“The bug was found because we often encountered Symfony profiler (a debug interface displaying requests, responses, SQL queries, configuration, etc.) in our engagements, and we wanted to escalate this to RCE,” Fol told The Daily Swig.

“After some digging, we saw that the secret key, we which could leak through many ways, was used to sign fragments, and from there, we got RCE.”

Fol’s findings reiterate the need to exercise caution when using web development platforms.

“As general advice, I would say something really dull: read the documentation and installation guide carefully! Both Symfony and eZPublish mention the fact that the secret key is, well, secret,” he says. “Also, if you’re not sure, generate it again.”

YOU MIGHT ALSO LIKE Discord desktop app vulnerable to RCE via chained exploit