After two decades of PHP, sites still expose sensitive details via debug mode

In 2018, some developers fail to deactivate debug mode for their web apps, leading to potentially catastrophic scenarios.

The PHP programming language was first released in 1995, but 23 years later hundreds if not thousands of website developers are still failing to understand the basic concept that debugging and error reporting messages may contain information that can lead to a hack and should never be left activated on a live website.

This is still a problem, even today, in 2018, according to Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken.

Diachenko has recently carried out an internet-wide search looking for websites coded in Laravel, a PHP framework for building web apps, that were exposing their debug mode.

"I have [...] come up with a stunning list of 566 IPs," said Diachenko in research published today.

The information contained in Laravel's debug mode can range, depending on what framework features the website or web app has used, from basic hints about an error's location in the source code to cases where the debug message blurts out highly sensitive database and API credentials.

"This information might help an attacker gain more information and potentially to focus on the development of further attacks to the target system," Diachenko said.

The most dangerous cases were, obviously, websites that printed database and API credentials in cleartext via Laravel's debug mode messages.

"For the last two weeks, I have responsibly notified 22 companies which credentials were exposed in such manner," Diachenko said.

The one incident that stood out above all others in Diachenko's recent study was the case of PrestoDaycare, a Swedish company that develops a web-based childcare platform.

The company's web service lets teachers, pre-school staff, managers, and parents, manage, participate, and keep an eye on pre-school activities via a web-based dashboard. But last month, Diachenko found it leaking a trove of sensitive details via its Laravel debug mode that was still active.

The site leaked everything and anything a hacker would need to access its servers and download sensitive data about child care facilities, kids, and their parents.

prestoadmin.png

PrestoDaycare portal leaking DB and API credentials

Image: ZDNet

It took Diachenko a few days to get in contact with the company, but with the help of local Swedish security researchers and the Swedish Computer Emergency Research Team (CERT), PrestoDaycare was notified, and the company deactivated the debug mode on its website.

ZDNet sent the company a series of questions earlier this week, asking for how long was debug mode left enabled, what data was stored on the servers' whose credentials were leaked, and if the company looked at access logs to see if unauthorized persons had used the exposed credentials.

While PrestoDaycare didn't respond to our request for comment, they did tell Diachenko last week that "as a GDPR-compliant organization, [they] notified the incident as per the directive."

The company also denied that they've left the debug mode enabled intentionally, blaming it on a bug.

Diachenko says that of the 22 companies he notified, five has yet to respond to his emails, and are still exposing sensitive data via debug messages.

It should go without saying by this point that debug modes, regardless of being Apache, PHP, Java, JavaScript, or other technology, should not be left enabled on live/production systems.

Previous and related coverage