About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Secret fragments: Remote code execution on Symfony based websites- 277

Charles FolPosted 5 Years Ago
  • Symfony is a PHP framework with many built-in features. Symfony is used in many popular PHP based products, such as Drupal, Joomla and others.
  • The framework allows for Edge Side Includes (ESI) on the /_fragment. However, this particular endpoint allows for only PART of the page to be executed and is customizable. So, this endpoint essentially accepts a GET parameter that is PHP code!
  • Fortunately (for the defense), this value has to be signed with an HMAC value in order to be executed. Additionally, this secret value is used for CSRF tokens and remember-me tokens as well.
  • Of course, finding a vulnerability that would allow for the reading of the secret would be nice. In some versions, the phpinfo page (if not disabled) will actually show all ENV variables, including the secret value. Additionally, a remote file inclusion bug would be nice to steal the secret value. In the real world, actual vulnerabilities have to be found in order to do the ones found above. However, there are two other avenues!
  • The first avenue is default values. In versions of Bolt CMS, EZPlatform and others, there is a default value that MUST be changed by the web administrator.
  • Secondly, the secret value can be brute forced offline.
  • Overall, having an endpoint exposed that can allow for arbitrary code execution is less than ideal, even if the value is signed in some way.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed