{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/flightphp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","web-application","flightphp"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eThe FlightPHP framework, prior to version 3.18.1, is vulnerable to sensitive information disclosure due to its default error handling mechanism. The \u003ccode\u003eEngine::_error()\u003c/code\u003e function writes the full exception message, exception code, and stack trace directly into the HTTP 500 response without any debug gating. This behavior can expose internal filesystem paths, secrets interpolated into exception messages (such as database credentials or API tokens), and the application\u0026rsquo;s module structure. The vulnerability was discovered by @Rootingg and a proof of concept is available, demonstrating the leakage of sensitive information. This disclosure can provide attackers with valuable primitives for chaining other weaknesses, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The issue is resolved in version 3.18.1 with the introduction of a \u003ccode\u003eflight.debug\u003c/code\u003e setting to control the verbosity of error output.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a FlightPHP application running a version prior to 3.18.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request designed to trigger an uncaught exception within the application. This could be through invalid input, resource exhaustion, or other error-inducing actions.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s error handler, \u003ccode\u003eEngine::_error()\u003c/code\u003e, is invoked.\u003c/li\u003e\n\u003cli\u003eThe error handler formats the exception message, code, and stack trace into an HTML response.\u003c/li\u003e\n\u003cli\u003eThis response includes absolute filesystem paths, potentially revealing the application\u0026rsquo;s directory structure.\u003c/li\u003e\n\u003cli\u003eThe response may also include secrets, such as database credentials or API keys, if these are inadvertently included in exception messages.\u003c/li\u003e\n\u003cli\u003eThe HTTP 500 response is sent to the attacker\u0026rsquo;s browser, containing the sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed information to further exploit the application, potentially leveraging LFI or path traversal vulnerabilities to gain unauthorized access or execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the disclosure of sensitive information, including absolute filesystem paths, database credentials, API tokens, and internal application structure. This information can be used to facilitate further attacks, such as Local File Inclusion (LFI) or path traversal vulnerabilities. The disclosure of database credentials or API tokens could grant attackers unauthorized access to sensitive data or systems. The vulnerability affects applications using FlightPHP versions prior to 3.18.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlightPHP to version 3.18.1 or later to patch the vulnerability. The fix introduces a \u003ccode\u003eflight.debug\u003c/code\u003e setting that gates the verbose output, preventing sensitive information from being exposed in production environments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;FlightPHP Sensitive Information Disclosure in HTTP Response\u0026rdquo; to detect instances of verbose error messages in HTTP 500 responses.\u003c/li\u003e\n\u003cli\u003eReview application code to ensure that sensitive information, such as database credentials and API tokens, are not inadvertently included in exception messages.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging (category: webserver, product: linux/windows) to capture HTTP requests and responses, facilitating detection and analysis of potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"/briefs/2024-01-flightphp-info-disclosure/","summary":"The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.","title":"FlightPHP Sensitive Information Disclosure via Default Error Handler","url":"https://feed.craftedsignal.io/briefs/2024-01-flightphp-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Flightphp","version":"https://jsonfeed.org/version/1.1"}