Lucas Courot

Symfony2 as a security issue

Posted on by

I love Symfony2, it's a very powerful framework. But with great power comes great responsibility. I just want to warn Symfony2 developers about some common security issues they could encounter due to a bad framework/server configuration (not due to Symfony2 itself!).

TL;DR: You should never ever ever allow public access to your dev environnement in production. If you do, someone could access your admin by stealing your session cookies and try to bruteforce your server. Your server should only serve files from the project/web directory.

People who don't point DocumentRoot to the web/ directory

This is insane, but many people don't configure their webservers correctly and point their DocumentRoot directive to the project/ directory instead of project/web. This could lead to a security hole as it means that the configuration is directly accessible on the Internet. If your website looks like http://example.com/my/web/blog, then anyone can access http://example.com/my/app/config/parameters.yml and fetch your database, smtp and other passwords... This is not true if your use an Apache server as the app directory contains an .htaccess denying access to it. However if your Apache doesn't have AllowOverride All in your Vhost or if you use another server such as Nginx, this .htaccess would have no effect.

Furthermore, search engines would index your pages and you could get easily found with a custom search query.

Why allowing access to app_dev.php is a huge security issue

As you may know, Symfony2 has a very powerful and helpful Profiler component provided with a Web Debug Toolbar.

By default Symfony2, provides the app_dev.php file, which is the front controller for the development mode. It has the following lines at the top.

// This check prevents access to debug front controllers that are deployed by accident to production servers.
// Feel free to remove this, extend it, or make something more sophisticated.
if (isset($_SERVER['HTTP_CLIENT_IP'])
    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
    || !in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1'))
) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');
}

As you see, this code prevents external access and it should be preserved in the production. Nonetheless, a lot of developers remove this check once the website is deployed, as it probably facilitates server-side debugging.

What security issues are you exposed to?

Well, not to mention the whole Internet has access to your server configuration (phpinfo()), everyone can inspect each request sent to the dev environnement (not the last 10, not the last 100, all of the requests!). It means that if you're actually debugging your application this way, everyone can inspect the SQL queries which have run on your website, the emails your server sent and finally the different cookies you had (including session cookies).

Session hijacking

For instance, if you browse your fabulous Sonata Admin directly on your server with the dev mode on, someone else can inspect your requests logged in the Profiler and steal your sessions by forging a session cookie with the same PHPSESSID. This would allow him to obtain access to your admin.

Bruteforce attacks

If a cracker wanted to bruteforce your website he'd be able to collect a lot of useful data such as your home directory (including your Unix username, which is often the same for your SSH access), database info, etc.

SEO

I don't know how, but a lof of websites get indexed in Google with theirs app_dev.php controllers in URLs. This is the most scary thing, as with one single Google search you can find thousands of unsecured websites.

Others

You have the possibility to add additional tools to you Profile, such as ConsoleBundle which allows you accessing the Symfony2 console via your browser. Now, if someone really wants to annoy you, he can literally drop your database.

Conclusion

This is your responsibility to take care of your Symfony / server configuration, you have been warned. Symfony alone is not enough to secure your PHP development. The framework gets more and more famous and it forces many website to respect the same architecture. This is a good thing for developers but a bad thing for security as websites could now be targeted easily.

My advice

  • Use "Matchers" to enable the Profiler Conditionally if this is really needed
  • Use the Symfony checklist before you deploy your website to prod.
  • Deploy your website using an automated deployment tool such as Capifony and exclude the dev / test front controllers.
  • If you want to keep your dev front controller, change its default filename and add your public IP address to the array.
  • Serve files from the web/ directory only.
  • Manage your server configuration using Chef or Puppet for more clarity.
  • Secure your Apache (or other webserver).
See the other articles published in Symfony .