You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.
Base64 value encoded from laravel with input as payload and app_key.
Impact
An unauthorised user who knows the app_key (from any source - either brute-force or default app_key) can encrypt the payload path traversal to view any file on the system.
Affected versions
Latest version: Laravel log viewer <=v2.3.0
Severity
High 8.9: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Exploit
Write python code to encrypt/decrypt base64 string from laravel with app_key. Then modify it to payload traversal and encrypt, then send
PoC:
Solution
In file src/controllers/LogViewerController.php: with index() and pathFromInput() need to process the file name in lines like $this->log_viewer->setFile(Crypt::decrypt($this->request->input('l'))); $this->log_viewer->pathToLogFile(Crypt::decrypt($this->request->input($input_string)));
Instead of getting the file name directly from the request after decrypting, process the file name before putting it into setFile or download
Example of using basename() in php
The text was updated successfully, but these errors were encountered:
Description
Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.
Base64 value encoded from laravel with input as payload and app_key.
Impact
An unauthorised user who knows the app_key (from any source - either brute-force or default app_key) can encrypt the payload path traversal to view any file on the system.
Affected versions
Severity
Exploit
Write python code to encrypt/decrypt base64 string from laravel with app_key. Then modify it to payload traversal and encrypt, then send
PoC:
Solution
In file
src/controllers/LogViewerController.php:withindex()andpathFromInput()need to process the file name in lines like$this->log_viewer->setFile(Crypt::decrypt($this->request->input('l')));$this->log_viewer->pathToLogFile(Crypt::decrypt($this->request->input($input_string)));Instead of getting the file name directly from the request after decrypting, process the file name before putting it into setFile or download
Example of using basename() in php
The text was updated successfully, but these errors were encountered: