“Vulnerability” in this case is simply leaving the profiler on in production. Something some people do.
Anyway. I heard sometimes people building projects with symfony leave the profiler on in production. A tool that gives you access to all sorts of stuff nobody should have access to in production: https://symfony.com/doc/current/profiler.html
Someone developed a tool to automatically take advantage of that: https://github.com/synacktiv/eos
I wanted to play around with this and see if I could find symfony sites with the profiler on.
1) Finding the sites
First I need to find sites that use the symfony framework.
You can get SOME results by searching for inurl:_profiler the old google dorks way, but not many results.
I went to https://builtwith.com and searched for symfony. They asked me to register to get the full list, but after registering they asked me to pay.
2) Finding the sites (cont)
I searched for “builtwith alternatives” on google and found https://hunter.io/techlookup.
Searched for symfony and downloaded a csv with 5000 addresses.
3) Automatically testing them
I wrote a (bad) bash script that extracted all the addresses from the CSV and added the eos scan command to it, with an output directory named after the site in question and let it run overnight.
awk -F "\"*,\"*" '{print "eos scan https://"$1 " --output "$1}' file-with-symfony-sites.csv
4) After the tests
The sites with nothing found have an empty output directory. The not fine sites have a directory with files in it.
To see the non-empty directories I can list them by:
find . -mindepth 1 -maxdepth 1 -not -empty -type d
This gives me a list of the compromised sites:
6 out of 5000 isn’t bad. Around 0.1%.
The ones I did find now have compromised databases, some API keys/secrets for email/sms services, aws, firebase, etc (I will message the owners).
5) Would do differently
Some of the addresses are no longer live. The command line tool waits a little and repeats the request until it eventually times out. This significantly slows down the scan. I should first filter out sites that no longer exist, also programatically, somehow (cough).
6) Why?
I use symfony quite often and this was a learning experience of things to avoid doing myself :)