Arbitrary variable read through Ignition for Laravel


Ignition is the default error page for PHP framework Laravel, and we discovered a critical security vulnerability that allows arbitrary variable read, which can lead to a potential sensitive information leakage

Laravel is a quite popular PHP framework that has in a relatively short period of time attracted many users. It is an open source solution under MIT License with code hosted on GitHub.
Last year Laravel made Ignition, an open source package, the new default error page because of some framework-specific things that made the stack trace easier to digest.

Well, Infigo IS' security expert, Luka Sikic, found a critical security vulnerability in Ignition, or to be more precise in its fixTypo function. The vulnerability in question allows a remote, unauthenticated user to dump contents of arbitrary runtime variables, including the $GLOBAL variable. As the beforementioned variable contains Laravel environment variables, we are talking here about potential leaking of information such as DB usernames and passwords, API tokens, CSRF secret keys, and everything else the world shouldn't get to see!

The vulnerability was reported and the vendor confirmed it. Ignite versions before 2.0.5 suffer from described vulnerability so it would be smart to check your version and update accordingly. If you're interested, you can skim through the given CVE here.