Version Disclosure (Tracy Debugging Tool)
Invicti identified a version disclosure (Tracy Debugging Tool) in the target web server's HTTP response.
Tracy has been used for error logging and debugging web applications. This vulnerability can cause highly sensitive data leaks on current sessions.
Tracy is a powerful tool that helps developers debug and resolve problems in their applications. However, it is configured improperly on the target website, and that allows attackers to gain information about requests and responses to the application. An attacker can obtain information such as:
- Session cookies
- Session state
- Query string and post variables
- Physical path of the requested file
- SQL queries
- PHP notifications
- Connection string to a database (including password and hostname)
This means that the attacker can hijack any active user’s session by using their session details, reveal how your website is made and invite a server attack, or access a database if credentials are present.
You need to specify a constant Debugger::PRODUCTION
to run tracy in production mode like:
Debugger::enable(Debugger::PRODUCTION);Example code:
public function onAfterDebug(Container $c)
{
$p = $c->parameters;
if (isset($p['forceDebug'])) {
$mode = $p['forceDebug'] === FALSE ? Debugger::PRODUCTION : Debugger::DEVELOPMENT;
Debugger::enable($mode, LOG_DIR, 'bugs+ns@invicti.com');
}
}