Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Laravel <= v8.4.2 debug mode: Remote code execution #35880

Closed
xzd opened this issue Jan 14, 2021 · 3 comments
Closed

Laravel <= v8.4.2 debug mode: Remote code execution #35880

xzd opened this issue Jan 14, 2021 · 3 comments

Comments

@xzd
Copy link

xzd commented Jan 14, 2021

https://www.ambionics.io/blog/laravel-debug-rce
@driesvints
Copy link
Member

Don't enable debug mode in production. Also: please don't post issues about security vulnerabilities (see our readme).

https://laravel.com/docs/8.x/configuration#debug-mode

Screenshot 2021-01-14 at 11 59 49

@lucaspanik lucaspanik mentioned this issue Mar 31, 2021
Closed
@lucaspanik
Copy link

lucaspanik commented Mar 31, 2021
edited

@driesvints

I am having the same problem in my homologation and staging environment.

Argument 1 passed to Facade\Ignition\Solutions\MakeViewVariableOptionalSolution::isSafePath() must be of 
the type string, null given, called in 
/var/www/vendor/facade/ignition/src/Solutions/MakeViewVariableOptionalSolution.php on line 88

Request:

{
    "method": "POST",
    "URL": "http://remote_ip/_ignition/execute-solution",
    "remote_ip": "remote_ip",
    "request": {
        "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
        "parameters": {
            "variableName": "username",
            "viewFile": null
        }
    }
}

After upgrading from Laravel 7 to Laravel 8.27.0, these errors started to appear in my staging environment, but they don't appear in my production environment.

After analyzing the differences between environments, I thought it could be something related to APP_DEBUG=true in my staging environment, and APP_DEBUG=false in my production environment.

And I found this links:

When executing the command ps aux | grep kdev on my staging server, I did not identify the process kdevtmpfsi running, only kdevtmpfs (without the letter i at the end) that is default by system, as you can see in the image below.
image

The problem as described in the first link is referencing the "facade/ignition" package that deals with the new Laravel error page and that the problem can be seen at facade/ignition#334.

In summary, I think the case is happening for applications that have been upgraded from Laravel less than 8 to 8.x, because they suffered this "invasion" before the update.

Even knowing that debugging should not be enabled in the production environment, how to work with debugging in the staging environment? What do you recommend to me?

My question is what to actually do to deal with this vulnerability since I am already in version 8.27.0 of Laravel.
Remove the "facade/ignition" package?
Do I update the "facade/ignition" package (I am currently in the "facade/ignition": "^2.3.6") ?

Thank you for your attention, I hope I have helped, I am waiting for help to make the right decision.

@tudorradubarbu
Copy link

Absolutely nobody from Laravel offers support on this one. It's just blank.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@driesvints @xzd @lucaspanik @tudorradubarbu