Description
Description
Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.
Base64 value encoded from laravel with input as payload and app_key.
Impact
An unauthorised user who knows the app_key (from any source - either brute-force or default app_key) can encrypt the payload path traversal to view any file on the system.
Affected versions
- Latest version: Laravel log viewer <=v2.3.0
Severity
- High 8.9: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Exploit
Write python code to encrypt/decrypt base64 string from laravel with app_key. Then modify it to payload traversal and encrypt, then send
PoC:
Solution
In file src/controllers/LogViewerController.php: with index() and pathFromInput() need to process the file name in lines like
$this->log_viewer->setFile(Crypt::decrypt($this->request->input('l')));
$this->log_viewer->pathToLogFile(Crypt::decrypt($this->request->input($input_string)));
Instead of getting the file name directly from the request after decrypting, process the file name before putting it into setFile or download
Example of using basename() in php
