• Creation
  • Validation
  • Communication & fix
  • Disclosure

Demenagements Gramme / Debugging leads to customer info and credentials disclosure

reported 2021-09-27

Exposure

Symfony debugger is currently enabled on the following site : https://client.demenagements-gramme.be/

Impact

Visiting the debugger logs allows anyone to grab quotes URL.

This leads to potential customer information disclosure. ( eg https://client.spirouxdemenagements.be/mon-devis/ )

This also leads to LFI ( local file inclusion ) in the context of the Symfony app : https://client.demenagements-gramme.be/_profiler/open?file=config/services.yaml&line=0

Resolution

Symfony debugger must be disabled in production environments as it keeps a log of every requests and exposes it to the public.

IP:
146.59.154.100
Port:
443
Detected protocol:
https
Symfony profiler enabled:
https://client.demenagements-gramme.be/_profiler/empty/search/results
Found by SymfonyProfilerPlugin 2021-09-27
Report created by    BloodyShell  2021-09-27
Report approved by    BloodyShell  2021-09-27
New PDF report generated by system 2021-09-27
Report dispatched to ...@... by system 2021-09-27
Report edited by    BloodyShell  2021-09-28
Report approved by    BloodyShell  2021-09-28
New PDF report generated by system 2021-09-28
Report edited by    BloodyShell  2021-09-28
Report approved by    BloodyShell  2021-09-28
New PDF report generated by system 2021-09-28
Report dispatched to ...@... by system 2021-09-28
Report marked as fixed by    BloodyShell  2021-09-28
Report closed by    BloodyShell  2021-09-28
New PDF report generated by system 2021-09-28
Report edited by    BloodyShell  2021-10-03
New PDF report generated by system 2021-10-03
Report edited by    BloodyShell  2021-10-03
New PDF report generated by system 2021-10-03
Information
Owner Demenagements Gramme
Created 2021-09-27 19:30
Updated 2021-10-05 17:36
Fixed true

Contacts
j...@gmail.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report