Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Symfony Database Configuration Exposure

By kannthu

High
Vidoc logoVidoc Module
#config#exposure#symfony
Description

What is the "Symfony Database Configuration Exposure?"

The "Symfony Database Configuration Exposure" module is designed to detect a misconfiguration in the Symfony framework's database configuration. Symfony is a popular PHP framework used for developing web applications. This module focuses on identifying potential vulnerabilities related to the exposure of sensitive database configuration files.

This module has a severity level of high, indicating that if the misconfiguration is present, it could pose a significant risk to the security of the application.

This module was authored by pdteam and geeknik.

Impact

If the Symfony database configuration is exposed, it can potentially lead to unauthorized access to sensitive information, such as database credentials, connection details, or other configuration settings. This can be exploited by attackers to gain unauthorized access to the database or perform other malicious activities.

How does the module work?

The "Symfony Database Configuration Exposure" module works by sending an HTTP request to the target application's endpoint /config/databases.yml. It then applies a series of matching conditions to determine if the misconfiguration is present.

The matching conditions used by this module are as follows:

- The response header should not contain the word "text/html". - The HTTP response status code should be 200 (OK). - The response body should contain the words "class:" and "param:".

If all of these conditions are met, the module will report a vulnerability, indicating that the Symfony database configuration is exposed.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/config/databases.ym...
Matching conditions
NOT word: text/htmland
status: 200and
word: class:, param:
Passive global matcher
No matching conditions.
On match action
Report vulnerability