Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 18 Oct 2019, 07:20
All times are UTC - 4
 Forum index » Off-Topic Area » Security
PHP sites still expose sensitive details via debug mode
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [2 Posts]  
Author Message
Official Dog Handler

Joined: 04 May 2005
Posts: 13344
Location: Arizona USA

PostPosted: Mon 15 Oct 2018, 12:58    Post subject:  PHP sites still expose sensitive details via debug mode  

After two decades of PHP, sites still expose sensitive details via debug mode

In 2018, some developers fail to deactivate debug mode for their web apps, leading to potentially catastrophic scenarios.

By Catalin Cimpanu for Zero Day | October 4, 2018

The PHP programming language was first released in 1995, but 23 years later hundreds if not thousands of website developers are still failing to understand the basic concept that debugging and error reporting messages may contain information that can lead to a hack and should never be left activated on a live website.

This is still a problem, even today, in 2018, according to Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken.

Diachenko has recently carried out an internet-wide search looking for websites coded in Laravel, a PHP framework for building web apps, that were exposing their debug mode.

"I have [...] come up with a stunning list of 566 IPs," said Diachenko in research published today.

The information contained in Laravel's debug mode can range, depending on what framework features the website or web app has used, from basic hints about an error's location in the source code to cases where the debug message blurts out highly sensitive database and API credentials.

"This information might help an attacker gain more information and potentially to focus on the development of further attacks to the target system," Diachenko said.

The most dangerous cases were, obviously, websites that printed database and API credentials in cleartext via Laravel's debug mode messages.

"For the last two weeks, I have responsibly notified 22 companies which credentials were exposed in such manner," Diachenko said.

The one incident that stood out above all others in Diachenko's recent study was the case of PrestoDaycare, a Swedish company that develops a web-based childcare platform.

The company's web service lets teachers, pre-school staff, managers, and parents, manage, participate, and keep an eye on pre-school activities via a web-based dashboard. But last month, Diachenko found it leaking a trove of sensitive details via its Laravel debug mode that was still active.

The site leaked everything and anything a hacker would need to access its servers and download sensitive data about child care facilities, kids, and their parents.

It took Diachenko a few days to get in contact with the company, but with the help of local Swedish security researchers and the Swedish Computer Emergency Research Team (CERT), PrestoDaycare was notified, and the company deactivated the debug mode on its website.

ZDNet sent the company a series of questions earlier this week, asking for how long was debug mode left enabled, what data was stored on the servers' whose credentials were leaked, and if the company looked at access logs to see if unauthorized persons had used the exposed credentials.

While PrestoDaycare didn't respond to our request for comment, they did tell Diachenko last week that "as a GDPR-compliant organization, [they] notified the incident as per the directive."

The company also denied that they've left the debug mode enabled intentionally, blaming it on a bug.

Diachenko says that of the 22 companies he notified, five have yet to respond to his emails, and are still exposing sensitive data via debug messages.

It should go without saying by this point that debug modes, regardless of being Apache, PHP, Java, JavaScript, or other technology, should not be left enabled on live/production systems.
Back to top
View user's profile Send private message 

Joined: 23 Nov 2006
Posts: 11271

PostPosted: Tue 16 Oct 2018, 13:08    Post subject:  

Well seems more evidence that a large bunch of web developers are not worth the sizeable incomes that they command.

Even simple stuff like non hidden email addresses which basically make easy pickings for spammers are still so commonplace.

Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [2 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0315s ][ Queries: 12 (0.0029s) ][ GZIP on ]