CVE-2017-16894
published 2017-11-20CVE-2017-16894: In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env…
PriorityP180high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.03%
99.7th percentile
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-laravel-framework | — | — |
| laravel | laravel | <= 5.5.21 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
GET /.env HTTP/1.x -> response body contains APP_NAME= AND APP_DEBUG= AND DB_PASSWORD=
- →Monitor HTTP GET requests to the path /.env; a 200 response with Content-Type: application/octet-stream and body containing APP_NAME=, APP_DEBUG=, and DB_PASSWORD= is a confirmed exploitation indicator.
- →Detect chained exploitation: after .env disclosure, watch for HTTP POST requests to /index.php carrying a non-standard or oversized X-XSRF-TOKEN header, which is the follow-on RCE vector (CVE-2018-15133). ↗
- →The exploit checks for XSRF-TOKEN or laravel_session cookies in the response to fingerprint a Laravel target before attempting exploitation. ↗
- →APP_KEY extraction from .env: look for the regex pattern APP_KEY=base64:(.*) in HTTP response bodies to identify successful credential harvesting. ↗
- →Use Shodan/FOFA queries for Laravel-Framework or laravel-framework to identify exposed instances for proactive asset discovery.
- →GreyNoise reclassified ENV Crawler IPs as malicious (over 11,000 IPs at time of publication); blocking GreyNoise ENV Crawler tag will suppress opportunistic .env harvesting bots. ↗
- ·The .env filename is not exclusive to Laravel; detections triggering on /.env requests may fire on other frameworks (e.g., Symfony, Node.js dotenv) that also use this file convention. ↗
- ·The chained RCE exploit (CVE-2018-15133) targets Laravel 5.5.40 and 5.6.x ≤ 5.6.29, not the same version range as CVE-2017-16894 (≤ 5.5.21); scope them separately in detection rules. ↗
- ·The APP_KEY can also leak via Laravel framework error pages (DecryptException or MethodNotAllowedHttpException), not only via the .env file; detection should cover both vectors. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2v4r-7m2m-5chh: In Laravel framework through 5
ghsa_unreviewed·2022-05-14
CVE-2017-16894 [HIGH] CWE-200 GHSA-2v4r-7m2m-5chh: In Laravel framework through 5
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
VulnCheck
Laravel Laravel Framework Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2017·CVSS 7.5
CVE-2017-16894 [HIGH] Laravel Laravel Framework Exposure of Sensitive Information to an Unauthorized Actor
Laravel Laravel Framework Exposure of Sensitive Information to an Unauthorized Actor
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
Affected: Laravel Laravel Framework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.netscout.com/blog/asert/botnets-and
Debian
CVE-2017-16894: php-laravel-framework - In Laravel framework through 5.5.21, remote attackers can obtain sensitive infor...
vendor_debian·2017·CVSS 7.5
CVE-2017-16894 [HIGH] CVE-2017-16894: php-laravel-framework - In Laravel framework through 5.5.21, remote attackers can obtain sensitive infor...
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)
exploitdb·2019-07-16·CVSS 8.1
CVE-2018-15133 [HIGH] PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)
PHP Laravel Framework 5.5.40 / 5.6.x 'PHP Laravel Framework token Unserialize Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x '2018-08-07',
'Author' =>
[
'Ståle Pettersen', # Discovery
'aushack', # msf exploit + other leak
],
'References' =>
[
['CVE', '2018-15133'],
['CVE', '2017-16894'],
['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/u
Nuclei
Laravel <5.5.21 - Information Disclosure
nuclei·CVSS 7.5
CVE-2017-16894 [HIGH] Laravel <5.5.21 - Information Disclosure
Laravel <5.5.21 - Information Disclosure
Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE: CVE pertains only to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting .env permissions. The .env filename is not used exclusively by Laravel.
Template:
id: CVE-2017-16894
info:
name: Laravel <5.5.21 - Information Disclosure
author: j4vaovo
severity: high
description: |
Laravel through 5.5.21 is susceptible to information disclosure. An attacker can obtain sensitive information such as externally usable passwords via a direct request for the /.env URI. NOTE:
Metasploit
PHP Laravel Framework token Unserialize Remote Command Execution
metasploit
PHP Laravel Framework token Unserialize Remote Command Execution
PHP Laravel Framework token Unserialize Remote Command Execution
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.
http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlhttp://whiteboyz.xyz/laravel-env-file-vuln.htmlhttps://twitter.com/finnwea/status/967709791442341888http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlhttp://whiteboyz.xyz/laravel-env-file-vuln.htmlhttps://twitter.com/finnwea/status/967709791442341888
2017-11-20
Published
Exploited in the wild