Runnable Solutions seem to allow Remote Code Execution by Default

[amenk]

Follow up for: https://github.com/facade/ignition/issues/350

Would it be a valid solution to set enable_runnable_solutions to false as default in the future? Additionally a notice could be added with a warning, how to enable this handy feature.

As this seems to be true, and also in new laravel projects, APP_DEBUG is true, this might cause issues for lots of new users.

We should configure secure by default. Otherwise this might shed a bad light one the package and laravel if lots of installations can be easily exploited.

[freekmurze]

Last week, we've added a warning when you're using debug mode on non-local environments. We think this warning can already help avoid some problems around this.

We'll consider enable_runnable_solutions to false in the future. Thanks for you suggestion.

[kw-pr]

Agree with @amenk and I am deeply shocked about this.
Allowing code injections should not be possible.
Especially not in a default Laravel package.
Even more not by default config.

This is security issue is already used in the wild.
Your reaction should be to fix this ASAP.
And inform Taylor so he can publish the security issue.

[freekmurze]

Don't ever set APP_DEBUG to true in a production environment.

Please read our blogpost mentioned in my comment above for more details.

[AlexVanderbist]

I want to quickly add that we've also added a check that will only allow running solutions from localhost. So even if you'd accidentally deploy with APP_DEBUG=true, rce shouldn't be possible.

[amenk]

thanks

[amenk]

I found https://nvd.nist.gov/vuln/detail/CVE-2021-3129 and this might actually be fixed already since a while... sorry for the noise, if it's already fixed

[amenk]

https://github.com/facade/ignition/blob/cb7f790e6306caeb4a9ffe21e59942b7128cc630/CHANGELOG.md#270---2021-03-30