Context
Symfony is an open source applicative framework used for PHP applications.
The Symfony plugin FOSJsRoutingBundle allows the exposition of the application routing in the JavaScript code.
That means an attacker is able to immediately map the routes he can test in order to attack your application.
Exploit or command to run
You can access the JsRouting bundle with the following URL :
{IMPACTED-ASSET}/js/routing
Here is an example of the output:
An attacker can immediately deduct the API exposes the method sylius_admin_order_creation_order_create with the method GET. And starts to fiddle with it in order to find an exploitable vulnerability.
Consequences
There is no direct consequences as this is a configuration default that eases the mapping step of the attacker.
Remediation
We recommend restricting the access of the folder /js/routing to the application that needs a mapping of the available API's (such as domain or IP restriction for example)