Merge pull request #1880 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_symphony_20260211_025052

carlospolop · web-flow · commit 4df20eaea2c9 · 2026-02-11T03:57:22.000+01:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-web/symphony.md b/src/network-services-pentesting/pentesting-web/symphony.md
@@ -4,7 +4,7 @@
 
 Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components).  This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.
 
-> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**).  Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).
+> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**).  Symfony **7.4** became the new LTS in **Nov 2025** and will receive security fixes until **Nov 2029**.  Always verify the exact patch-level because many 2024‑2026 advisories were fixed only in micro releases.
 
 ---
 
@@ -36,7 +36,7 @@ Symfony is one of the most widely-used PHP frameworks and regularly appears in a
 
 ---
 
-## High-impact Vulnerabilities (2023-2025)
+## High-impact Vulnerabilities
 
 ### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
 * **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
@@ -60,17 +60,37 @@ Symfony is one of the most widely-used PHP frameworks and regularly appears in a
   ```
 * Excellent write-up & exploitation script: Ambionics blog (linked in References).
 
-### 2. Windows Process Hijack – CVE-2024-51736
+### 2. PATH_INFO auth bypass – **CVE-2025-64500** (HttpFoundation)
+* Affects versions below 5.4.50, 6.4.29 and 7.3.7. Path normalization could drop the leading `/`, breaking access-control rules that assume `/admin` etc.
+* Quick test: `curl -H 'PATH_INFO: admin/secret' https://target/index.php` → if it reaches admin routes without auth, you found it.
+* Patch by upgrading `symfony/http-foundation` or the full framework to the fixed patch level.
+
+### 3. MSYS2/Git-Bash argument mangling – **CVE-2026-24739** (Process)
+* Affects versions below 5.4.51, 6.4.33, 7.3.11, 7.4.5 and 8.0.5 on Windows when PHP is run from MSYS2 (Git-Bash, mingw). `Process` fails to quote `=` leading to corrupted paths; destructive commands (`rmdir`, `del`) may target unintended dirs.
+* If you can upload a PHP script or influence Composer/CLI helpers that call `Process`, craft arguments with `=` (e.g. `E:/=tmp/delete`) to cause path re-write.
+
+### 4. Runtime env/argv injection – **CVE-2024-50340** (Runtime)
+* When `register_argv_argc=On` and using non-SAPI runtimes, crafted query strings could flip `APP_ENV`/`APP_DEBUG` via `argv` parsing. Patched in 5.4.46/6.4.14/7.1.7.
+* Look for `/?--env=prod` or similar being accepted in logs.
+
+### 5. URL validation / open redirect – **CVE-2024-50345** (HttpFoundation)
+* Special characters in the URI were not validated the same way browsers do, enabling redirect to attacker-controlled domains. Fixed in 5.4.46/6.4.14/7.1.7.
+
+### 6. Symfony UX attribute injection – **CVE-2025-47946**
+* `symfony/ux-twig-component` & `symfony/ux-live-component` before **2.25.1** render `{{ attributes }}` without escaping → attribute injection/XSS. If the app lets users define component attributes (admin CMS, email templating) you can chain to script injection.
+* Update both packages to 2.25.1+. As a manual exploit, place JS in an attribute value passed to a custom component and trigger rendering.
+
+### 7. Windows Process Hijack – **CVE-2024-51736** (Process)
 * The `Process` component searched the current working directory **before** `PATH` on Windows.  An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
 * Patched in 5.4.50, 6.4.14, 7.1.7.
 
-### 3. Session-Fixation – CVE-2023-46733
+### 8. Session-Fixation – **CVE-2023-46733**
 * Authentication guard reused an existing session ID after login.  If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.
 
-### 4. Twig sandbox XSS – CVE-2023-46734
+### 9. Twig sandbox XSS – **CVE-2023-46734**
 * In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.
 
-### 5. Symfony 1 gadget chains (still found in legacy apps)
+### 10. Symfony 1 gadget chains (still found in legacy apps)
 * `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`.  Check file-upload endpoints and `phar://` wrappers.
 
 
@@ -106,13 +126,26 @@ php bin/console cache:clear --no-warmup
 ```
 Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.
 
+### Probe PATH_INFO bypass quickly (CVE-2025-64500)
+```bash
+curl -i -H 'PATH_INFO: admin/secret' https://target/index.php
+# If it returns protected content without redirect/auth, the Request normalization is vulnerable.
+```
+
+### Spray UX attribute injection (CVE-2025-47946)
+```twig
+{# attacker-controlled attribute value #}
+<live:button {{ attributes|merge({'onclick':'alert(1)'}) }} />
+```
+If the rendered output echoes the attribute unescaped, XSS succeeds. Patch to 2.25.1+.
+
 ---
 
 ## Defensive notes
 1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
 2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
-3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level.
-4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.
+3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level (5.4.x until Nov 2025, 6.4 until Nov 2027, 7.4 until Nov 2029).
+4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 & CVE-2026-24739 or add a `open_basedir`/`disable_functions` defence-in-depth.
 
 ---
 
@@ -126,4 +159,6 @@ Use deserialization gadgets inside the cache directory or write a malicious Twig
 ## References
 * [Ambionics – Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
 * [Symfony Security Advisory – CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
+* [Symfony Blog – CVE-2025-47946: Unsanitized HTML attribute injection in UX components](https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes)
+* [Symfony Blog – CVE-2026-24739: Incorrect argument escaping under MSYS2/Git Bash](https://symfony.com/blog/cve-2026-24739-incorrect-argument-escaping-under-msys2-git-bash-on-windows-can-lead-to-destructive-file-operations)
 {{#include ../../banners/hacktricks-training.md}}
