Emergency patch: Prevent leaking sensitive details through debug output
Status: No sensitive data was compromised. No users were affected. This has been resolved.
The Laravel debug page leaks sensitive defaults by default, such as the APP_KEY
and MAIL_PASSWORD
. When the application is in debug mode, this output can easily be collected by sending a POST
request to /
.
A public reachable application should never be in debug mode, or leakage must be prevented.
We must blacklist all sensitive properties from all debug output to resolve this issue.
Tasks
-
Implement emergency patch -
Deploy emergency patch to all instances -
Investigate possible compromise on all instances -
Rotate/terminate sensitive credentials where needed
Instance status
- Production: not affected (never in debug mode)
- Staging: not affected (never exposed due to server config)
- Local development server (@timvisee): affected
Notes
Only the local development server is affected by this, because the respective sensitive details are hidden by default with the current server production/staging configuration. No sensitive could have been compromised from production/staging because of this.
The local development server used throwaway credentials. A bot extracted SMTP credentials, but these are for a sandboxed/isolated email environment. All relevant details have been rotated to prevent further abuse.