Symfony ESI (Edge-Side Includes) enabled
Description
This Symfony web application has Edge Side Includes (ESI) enabled, a markup language used for dynamic content assembly at the gateway cache level. When ESI is active, Symfony exposes a special /_fragment endpoint that can execute controller actions. If the application's secret configuration parameter is weak, predictable, or uses a default value, attackers can forge requests to this endpoint and potentially execute arbitrary PHP code on the server.
Remediation
Take the following steps to mitigate this vulnerability:
1. Generate a strong secret value: Ensure your Symfony application uses a cryptographically strong, randomly generated secret. Update the APP_SECRET environment variable or the secret parameter in your configuration with a value of at least 32 characters:
# .env file APP_SECRET=your-cryptographically-strong-random-secret-here
2. Disable ESI if not required: If your application does not use Edge Side Includes for caching, disable this feature entirely:
# config/packages/framework.yaml
framework:
esi: false
fragments: false3. Restrict fragment endpoint access: If you must use ESI, consider implementing additional security controls such as IP whitelisting or firewall rules to restrict access to the /_fragment endpoint to trusted sources only.
4. Audit configuration files: Ensure the secret value is not committed to version control or exposed in publicly accessible locations.