Insertion of Sensitive Information Into Debugging Code in microweber/microweber

Valid

Reported on

Feb 20th 2022


Description

Laravel debug mode exposes sensitive data, eg: internal source codes, stack traces, sql queries, databases names, tables names, user's cookies, email, phone number, username, laravel version, php version, etc

Proof of Concept

  1. Login into http://demo.microweber.org
  2. Navigate to this endpoint(including single quote at the end): http://demo.microweber.org/demo/admin/category/create'
  3. you will see all the exposed information.

Impact

Server running in debug mode, exposing sensitive information about server and user.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar Slaveykov validated this vulnerability 3 months ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on b12e1a 3 months ago
Bozhidar Slaveykov has been awarded the fix bounty
to join this conversation