Ignition Remote Code Execution Vulnerability in Laravel

A remote code execution vulnerability exists in Ignition versions prior to 2.5.2, which is used in Laravel and other products. This vulnerability allows unauthenticated remote attackers to execute arbitrary code due to the insecure handling of file_get_contents() and file_put_contents(). It is exploitable on Laravel versions prior to 8.4.2 when the application is in debug mode.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where the vulnerable application is running.

Reproduction

To reproduce this vulnerability, first ensure that the application is running Laravel version prior to 8.4.2 and that debug mode is enabled. When an error occurs, Ignition will display a stack trace in the logs. This can be exploited by sending a request to the Ignition 'execute-solution' endpoint, using the 'MakeViewVariableOptionalSolution' solution class. The 'viewFile' parameter can be manipulated to include a PHP filter that decodes base64-encoded payloads, which are then written to the Laravel log file. Once the payload is injected, it can be converted into a PHAR file and executed, leading to remote code execution.

Remediation

Users can update to Ignition version 2.5.2 or later, and ensure that their Laravel application is not running in debug mode. Instructions for updating Ignition can be found in the Laravel documentation.