Symfony databases.yml configuration file
Description
A Symfony databases.yml configuration file was discovered at config/databases.yml and is publicly accessible. This file contains database connection settings including hostnames, database names, usernames, and potentially passwords or other authentication credentials. Configuration files like this should never be exposed to the internet as they reveal critical infrastructure details that attackers can exploit to gain unauthorized access to backend systems.
Remediation
Immediately remove the databases.yml configuration file from all publicly accessible directories. Implement the following measures:
1. Remove the file: Delete config/databases.yml from the web root and any publicly accessible locations.
2. Restrict access: Configure your web server to deny access to configuration files. For Apache, add to your .htaccess:
<FilesMatch "\.(yml|yaml|config)$">
Require all denied
</FilesMatch>For Nginx, add to your server block:location ~* \.(yml|yaml|config)$ {
deny all;
return 404;
}3. Store configurations securely: Keep configuration files outside the web root directory or use environment variables for sensitive settings.
4. Rotate credentials: Change all database passwords and credentials that were exposed in the file.
5. Audit access logs: Review server logs for any unauthorized access attempts to this file.