CVE-2023-29931
📋 TL;DR
CVE-2023-29931 is a Local File Inclusion vulnerability in laravel-s that allows attackers to read arbitrary files on the server. This affects all systems running laravel-s version 3.7.35 or earlier. The vulnerability can lead to sensitive information disclosure including configuration files and credentials.
💻 Affected Systems
- laravel-s
📦 What is this software?
Laravels by Laravels Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like .env (containing database credentials, API keys), SSH keys, or configuration files that could lead to further exploitation.
Likely Case
Information disclosure of sensitive files including application source code, configuration files, and potentially credentials stored in accessible files.
If Mitigated
Limited impact if proper file permissions restrict access to sensitive files and web server runs with minimal privileges.
🎯 Exploit Status
Exploitation is straightforward via crafted requests to the vulnerable endpoint. Public proof-of-concept exists in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.36 or later
Vendor Advisory: https://github.com/hhxsv5/laravel-s/issues/437
Restart Required: Yes
Instructions:
1. Update laravel-s to version 3.7.36 or later using composer: 'composer require hhxsv5/laravel-s:^3.7.36' 2. Restart the laravel-s service 3. Verify the update with 'composer show hhxsv5/laravel-s'
🔧 Temporary Workarounds
Web Server Path Restriction
allConfigure web server to block access to the vulnerable /src/Illuminate/Laravel.php endpoint
For Nginx: location ~ ^/src/Illuminate/Laravel\.php$ { deny all; }
For Apache: <Location "/src/Illuminate/Laravel.php"> Require all denied </Location>
🧯 If You Can't Patch
- Implement strict file permissions to limit what files the web server user can read
- Deploy WAF rules to block requests containing path traversal patterns (../, ..\, etc.)
🔍 How to Verify
Check if Vulnerable:
Check laravel-s version with: 'composer show hhxsv5/laravel-s | grep versions' - if version is 3.7.35 or earlier, system is vulnerable.Check Version:
composer show hhxsv5/laravel-s | grep versionsVerify Fix Applied:
After update, verify version is 3.7.36 or later with same command and test that file inclusion attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '/src/Illuminate/Laravel.php' with file path parameters
- Multiple 200/403 responses to Laravel.php endpoint with unusual file paths
Network Indicators:
- HTTP requests with path traversal sequences (../) targeting the vulnerable endpoint
SIEM Query:
source="web_access_logs" AND (uri="/src/Illuminate/Laravel.php" AND (query="*../*" OR query="*..\\*"))