Symfony RCE via weak/predictable APP_SECRET

Description

The Symfony application is using a weak or predictable APP_SECRET value that can be guessed from common default values or extracted from a publicly accessible phpinfo page. This secret is a critical security parameter used to sign and validate trusted content. An attacker who obtains this secret can forge signed URLs to exploit the /_fragment endpoint, which processes Edge-Side Includes (ESI) directives, ultimately achieving remote code execution on the server.

Remediation

Take the following steps to remediate this vulnerability:

1. Generate a Strong APP_SECRET: Immediately replace the current APP_SECRET with a cryptographically secure random value. Generate a new secret using a secure method:

php -r "echo bin2hex(random_bytes(32));"

Or use:

openssl rand -hex 32

2. Update Configuration: Update the APP_SECRET in your .env or .env.local file:

APP_SECRET=your_new_cryptographically_secure_secret_here

3. Disable ESI if Not Required: If your application does not use Edge-Side Includes functionality, disable it in config/packages/framework.yaml:

framework:
    esi: false
    fragments: false

4. Restrict Fragment Endpoint Access: If ESI is required, restrict access to the /_fragment endpoint to trusted sources only using firewall rules or web server configuration.

5. Remove phpinfo Pages: Delete any publicly accessible phpinfo pages from production environments to prevent information disclosure.

6. Rotate Secrets Regularly: Implement a policy for periodic rotation of application secrets and review all environment configurations for security best practices.

References

Related Vulnerabilities