A major vulnerability has been recognized within the Laravel framework, particularly affecting variations between 11.9.0 and 11.35.1.
The difficulty revolves round improper encoding of request parameters on the error web page when the applying is operating in debug mode, resulting in mirrored cross-site scripting (XSS).
This flaw has been assigned the CVE identifier CVE-2024-13918 and has been labeled as excessive severity with a CVSS rating of 8.0, as per a report by Github.
The vulnerability exploits the conduct of Laravel’s debug-mode error web page, which shows detailed request info, together with URL parameters and request our bodies.
Nevertheless, when this information is offered, it lacks correct encoding, enabling attackers to inject malicious JavaScript code that will get executed throughout the person’s browser.
This will happen when a person accesses an attacker-provided hyperlink, supplied that the applying’s debug mode is energetic (APP_DEBUG=true).
Vulnerability Description
When Laravel is in debug mode (APP_DEBUG=true), and the internet software returns an error (HTTP standing 5XX), an error web page is displayed containing the request particulars.
The code snippet from Laravel’s error web page illustrates how request physique information is embedded with out correct encoding:
{!! $exception->requestBody() ?: 'No physique information' !!}
The usage of {!! !!} deactivates HTML encoding, permitting injected JavaScript to be executed as code.
Proof of Idea
To reveal this vulnerability, you may comply with these steps:
- Allow Debug Mode: Make sure that APP_DEBUG=true is about within the .env file.
- Create a POCTest Route: Add an endpoint to set off an error. For instance:
use IlluminateSupportFacadesRoute; Route::get('/poc-url', perform () { return 0/0; // This can throw a division by zero error. });
- Exploitation: Go to a crafted URL like http://localhost:8000/poc-url?payload=. When this URL is accessed and the error happens, the error web page will show and execute the injected JavaScript.
The affect of this vulnerability is substantial. Attackers can craft URLs that, when visited by customers, execute arbitrary JavaScript within the context of the affected internet software.
This enables for varied malicious actions, together with information theft or session hijacking.
Fortunately, this challenge has been addressed in model 11.36.0 of the Laravel framework. Customers are strongly suggested to replace their functions to this model or later to make sure safety in opposition to this vulnerability.
The safety of internet functions is paramount, and vulnerabilities like this highlighted flaw in Laravel underscore the significance of standard updates and strong safety practices.
As the recognition of frameworks similar to Laravel continues to develop, making certain the integrity of those instruments is essential for safeguarding person information and stopping malicious actions.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get reside Entry with ANY.RUN -> Begin Now for Free.