Dangers of Laravel Debug Mode Enabled
The research made by Bob Diachenko, Director of Cyber Risk Research at Hacken.
I have spent the last couple of weeks researching Laravel, a popular open-source PHP framework intended for the development of web applications. Like many similar frameworks it includes a debug mode with a special interface, allowing developers to view the internal state of network connections for the purpose of identifying errors and misconfigurations, before going live.
There is nothing wrong with having a debug mode enabled, but the real danger is to have this mode on while the system is live. I have used both BinaryEdge and Shodan search results to see how many servers are exposed and came up with a shocking list of 566 IPs.
Here is an example of how the debug interface looks in a web-browser and what kind of parameters are open to view in plain text (hint - almost all digital keys are there sometimes):
Note that not all servers show the full details of passwords and databases in debug mode. However, the screen above should give you an understanding on the level of detail available for those who accidentally (or on purpose) may come across this.
Apart from the web server disclosing some system information data in the HTTP response, such as application keys, database connection strings, passwords, secret credentials etc, debug mode enables extra debugging behaviours that assist not only developers, but also potential attackers.
This information might help an attacker gain more information and potentially focus on the development of further attacks with which to target the system. For the last two weeks I have responsibly notified 22 companies whose sensitive data was exposed in such a manner.
One of the companies that inadvertently exposed its production data via the debug mode interface was Swedish-based PrestoDaycare, a child tracking and monitoring platform start-up.
PrestoDaycare positions itself as a digital toolkit that integrates technology into traditional schools. This allows teachers to manage the classroom by creating digital student portfolios, registering attendance and scheduling 1-on-1 conferences. It also allows teachers to communicate with the parents by updating the online calendar, tracking student progress and issuing grade reports.
However, it appeared that the admin section on their homepage was misconfigured in such a way that anybody who may have misspelt the URL would be directed straight to the debug page which contained practically all the Company's credentials in one place including secret keys, database locations, credentials administrator passwords.and many more sensitive details.
On September 26th I tried to get in touch with the Company to alert them to the potential security breach but was only able to leave a voicemail and send a notification email which went unanswered.An additional email was sent to the local CERT authority.
With the assistance of my Sweedish Twitter followers, I finally got the attention of the PrestoDaycare developers and they replied with the following statement:
We would again like to express our thanks for reaching out to us on this matter. We have, as a GDPR-compliant organization, notified the incident as per the directive. The reason for the information leak was a bug in the handling of error events in the web app, which caused the web app to act as it was in debug mode (which it wasn't configured to be).
The data breach was secured within an hour although it is unknown how long it had been left unnoticed and if any secure information had already been accessed.
There still remains at least 5 companies who have not responded to my notifications and have Laravel interface set in debug mode.
Director of Cyber Risk Research at Hacken. Email: firstname.lastname@example.org