Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Symfony properties.ini File Disclosure

By kannthu

Informative
Vidoc logoVidoc Module
#symfony#exposure#files
Description

Symfony properties.ini File Disclosure

What is the "Symfony properties.ini File Disclosure?"

The "Symfony properties.ini File Disclosure" module is designed to detect a specific misconfiguration vulnerability in Symfony applications. Symfony is a popular PHP framework used for developing web applications. This module focuses on the exposure of the "properties.ini" file, which contains sensitive configuration information.

The severity of this vulnerability is classified as informative, meaning it provides valuable information but does not directly pose a security risk.

Author: DhiyaneshDK

Impact

If the "properties.ini" file is exposed, it can potentially reveal sensitive information about the Symfony application, such as database credentials, API keys, and other configuration details. This information can be leveraged by attackers to gain unauthorized access or perform further attacks on the application.

How does the module work?

The module sends HTTP requests to specific paths, namely "/properties.ini" and "/config/properties.ini", using the GET method. It then applies matching conditions to determine if the vulnerability is present.

Matching conditions:

- The response body must contain the words "name=", "author=", and "orm=". - The response status code must be 200.

If both conditions are met, the module reports the vulnerability.

Example HTTP request:

GET /properties.ini HTTP/1.1
Host: example.com

Note: The above example is a simplified representation of the HTTP request and does not include headers or other details.

It is important to note that this module does not fix the vulnerability but rather identifies its presence. Once the vulnerability is detected, appropriate actions can be taken to secure the Symfony application.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/properties.ini/config/properties.i...
Matching conditions
word: name=, author=, orm=and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability