Flight PHP Full Exception Disclosure Vulnerability in Default Error Handler

A vulnerability exists in Flight PHP versions prior to 3.18.1, where the default error handler, Engine::_error(), exposes sensitive information by writing the complete exception message, code, and stack trace, including absolute filesystem paths, directly into the HTTP 500 response. This lack of debug gating in production environments can leak internal paths, secrets embedded in exception messages, and the full module structure, potentially allowing attackers to exploit other vulnerabilities such as local file inclusion or path traversal. The issue is fixed in Flight PHP version 3.18.1.

Impact

This vulnerability can lead to the unintentional disclosure of absolute filesystem paths, which could be used to exploit local file inclusion or path traversal vulnerabilities within the same application. Additionally, it can leak sensitive information such as database credentials or API tokens if exceptions are created with interpolated configuration values. The vulnerability also allows for enumeration of installed vendor packages and the internal application structure.

Reproduction

The vulnerability can be reproduced by triggering an uncaught exception in a Flight PHP application running a version prior to 3.18.1. This can be done by creating a scenario where an exception is thrown and not properly handled, such as by raising an error that is not caught within a try-catch block. The default error handler will then respond with an HTTP 500 Internal Server Error, including the full exception details and stack trace in the response body.

Remediation

Users can upgrade to Flight PHP version 3.18.1 or later, where this vulnerability has been fixed. In version 3.18.1, a new 'flight.debug' setting has been introduced to control the verbosity of error messages. In production environments, this setting should be kept false to prevent sensitive information from being disclosed. Developers can set 'flight.debug' to true in local environments to restore the full exception details.