Every aspect of Symfony is taking care of security. Wether it is the centralized user management and access, the new object route system where peer methods can be customized, the rapid recent security fixes from Symfony's core team...

Despite all that, the way developers and server administrators use the framework can lead to major security issues.

I recently visited a Symfony project where the web folder was not configured as the doc root of Apache's VirtualHost. I changed the URI and was able to display the database's username and password for this project, the plugins in use, the routes, the schema and basically any non php file (yml, sql, ...). By Googling specific keywords, I was able to hundreds more!

We are all tempted to configure a Symfony project out of a VirtualHost, for example in order to give access to a second version of a website (this was the case in the above project taken as example) or to host multiple projects on a single VirtualHost, but this can compromise critical information that you don't want hackers or potential attackers to know.

If you really have to configure a Symfony project out of a VHost, then secure your sf projects system folders using a rule like the following:

# Securing the project system folders
# Prevents access to any folder not named "web"
# Last modified on 2009.05.19 by Antoine Leclercq (antoine[dot]leclercq[at]letscod[dot]com)
SetEnvIf Request_URI "(/web/.*)$" allow
Order allow,deny
Allow from env=allow

This will prevent the web server to give access to folders not named "web".

This is one of many possible fixes, but I think that kind of extra security should be including in the Symfony default project files.