skip to main content

Don't Expose The Stacktrace Please!

published icon  |  category icon programming

The other day, we were looking for nearby flea markets to attend—it’s starting to become flea market season, rejoice! I remembered an ad when biking around our neighborhood but couldn’t remember the exact location (or the location of the ad itself). The internet to the rescue. Search engines suggest barely working websites without HTTPS that list markets from 2019—next to the obligatory Facebook group, which is a sure way to exclude people without Facebook accounts from attending your thing. I really hate that trend.

One of those sites exploded. BOOM. It spat out… an exception?! I’m always intrigued when encountering errors on the web besides the dry “404” messages, so I took a better look.

Call to undefined method Illuminate\Support\Facades\Request::session()

Okay.

At app/Http/Controllers/HomeController.php:159:

// ... more PHP code
$suggestions = DB::select("SELECT events.id, categories.nl_category, eventname, DATE_FORMAT(dates.startDate,'%d/%m') AS startDateEU, city,provinces.province, ABS( LEFT(zip,4) - $eventZipClean) AS closest
                        FROM events
                        JOIN addresses on events.id = addresses.event_id
                        JOIN dates on dates.event_id = events.id
                        JOIN details on details.event_id = events.id
                        JOIN provinces on addresses.province = provinces.id
                        JOIN categories on categories.id = details.category
                        WHERE dates.startDate >= curdate() and dates.startDate <= ( curdate() + INTERVAL 1 MONTH) and events.approved = 1 and events.id != $event->eventId
                        ORDER BY closest
                        LIMIT 4");

if(Carbon::createFromFormat('d/m/Y', ...
$req->session()->flash(...

Wait, what? After the initial shock, I saw that I was even presented with TODO comments in the PHP code a few lines below the query. The zip code system apparently still has to be implemented.

A tab “Context” revealed Laravel version 8.28.1 and PHP version 8.0.19. There’s even a “Debug” tab that neatly summarizes all sql queries together with the connection name and how long it took to execute them. There’s even a “Share” button. A share button! Perhaps they should also add the whole slew of social media icons to share it to.

This stacktrace is so wrong on so many levels. Why am I, as a visitor of your site, when something goes wrong, presented with technical data—that completely exposes the way your backend works, your database is built, and your code is structured? As a side note, dear developer, did you know that stuffing queries in the controller isn’t the way we do things in 2022? That TODO item was just too hilarious.

A stacktrace is not a vulnerability in itself. But as you can see here, it clearly leaks a lot of information—internal information that can be easily abused by an attacker. Exposed queries are an open invitation to try out a few SQL injections, and even tough the $eventZipClean variable is called “clean”, it could very well not be.

When it comes to security issues, PHP has the reputation of being as holey as a Swiss cheese wheel. You can clearly see why. This isn’t entirely PHP’s fault though, and neither Laravel’s: according to the Laravel 8.x docs, it has an APP_DEBUG environment variable that should always be set to false in production—emphasis is added in the docs. Clearly, the developers didn’t read this. The fact that PHP is an interpreted scripting language that was heavily used in the nineties to hack together a few silly things for your website doesn’t exactly help, and I’m using the verb “hacking” in a negative context here.

Please, please be careful with debug configuration and information in a production environment. If you still want that info, log it somewhere else, present the user with a unique ID and ask them to contact support, gracefully degrade, show a generic message, redirect, whatever, but don’t expose the stacktrace. Please.

tags icon php stacktrace

Luckily, that’s what happens when you set APP_DEBUG to false. And it’s really easy to set the log level (debug, notice, error, etc.), too. (Clear your config cache afterward!) Also, the developers here mixed up \Illuminate\Support\Facades\Request...

 | by 

I'm Wouter Groeneveld, a Brain Baker, and I love the smell of freshly baked thoughts (and bread) in the morning. I sometimes convince others to bake their brain (and bread) too.

If you found this article amusing and/or helpful, you can support me via PayPal or Ko-Fi. I also like to hear your feedback via Mastodon or e-mail. Thanks!