Technical information leak - Content response - PHP

Technical information leak - Content response - PHP

Need

Prevention of technical information leaks in content responses

Context

  • Usage of PHP for server-side scripting and web development
  • Usage of Route for defining and handling routes in a web application

Description

Non compliant code

        Route::get('/info', function () {
    phpinfo();
});
        
        

This piece of code is a route in a Laravel application that when accessed, it will execute the phpinfo() function.

The phpinfo() function is a built-in PHP function that outputs information about PHP's configuration. It displays information about PHP's compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License.

This function is very useful in development environment for debugging purposes, however, it can be very harmful if it is used in a production environment because it exposes a lot of sensitive information about the server and its configuration that can be used by an attacker to exploit the system.

This code represents a technical information leak vulnerability because it exposes detailed technical information about the server and its configuration to the public. This information can be used by an attacker to identify potential vulnerabilities and exploit them.

Steps

  • Remove or restrict access to the route that exposes the phpinfo() function. This function provides a lot of information about the PHP environment, which can be useful for an attacker.
  • If you need to keep the route for debugging purposes, consider adding authentication and IP whitelisting to limit who can access this information.
  • Consider using a custom error page instead of exposing system information. This can prevent information leakage while still providing useful feedback to users.
  • Regularly update your server and its components to the latest versions. This can help to prevent attacks that exploit known vulnerabilities in older versions.
  • Configure your server to minimize the information it provides in its headers. For example, you can configure it to not include the server version in the Server HTTP header.

Compliant code

        // Remove the following code
Route::get('/info', function () {
    phpinfo();
});
        
        

The above code is a route in a Laravel application that exposes the phpinfo() function. This function outputs a large amount of information about the current state of PHP, including compilation options, extensions, version, server information, and the PHP environment. This information can be very useful for debugging, but it can also provide valuable information to an attacker.

To fix this vulnerability, you should remove or restrict access to this route. If you need to keep the route for debugging purposes, consider adding authentication and IP whitelisting to limit who can access this information. Here is an example of how you can add basic authentication to this route:

                Route::get('/info', function () {
    phpinfo();
})->middleware('auth');

            


In this example, only authenticated users can access the phpinfo() output. However, keep in mind that this is a basic solution and might not be sufficient for a production environment.

Additionally, consider using a custom error page instead of exposing system information. This can prevent information leakage while still providing useful feedback to users. For example:

                if (app()->bound('sentry') && !empty(Sentry::getLastEventID())) {
    return response()->view('errors.500', ['sentryID' => Sentry::getLastEventID()], 500);
}

            


In this example, when an error occurs, the application returns a custom error page with a unique ID for the error, instead of exposing system information.

Finally, regularly update your server and its components to the latest versions. This can help to prevent attacks that exploit known vulnerabilities in older versions. Also, configure your server to minimize the information it provides in its headers. For example, you can configure it to not include the server version in the Server HTTP header.

References