Technical information leak - IPs
Need
Protection of internal IP addresses from being exposed
Context
- Usage of PHP 7.0 for server-side scripting and web development
- Usage of Illuminate\Http\Request for handling HTTP requests in Laravel
- Usage of Illuminate\Support\Facades\View for rendering views in Laravel
- Usage of App\Http\Controllers\Controller for defining controller classes in an application
Description
Non compliant code
<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class HomeController extends Controller
{
public function index()
{
$serverIP = $_SERVER['SERVER_ADDR'];
return view('home', compact('serverIP'));
}
}
In the above code, the HomeController
is exposing the server's internal IP address to the client-side via the home.blade.php
view file.
The index()
method of the HomeController
is getting the server's IP address using the $_SERVER['SERVER_ADDR']
global variable. This IP address is then passed to the view using the compact
function.
In the home.blade.php
view file, the server's IP address is being displayed in a paragraph tag. This means that anyone who visits this web page can see the server's IP address. This is a technical information leak as it exposes sensitive information that could potentially be used by an attacker to exploit the server.
Steps
- Remove the line of code that retrieves the server IP address from the global $_SERVER array.
- Do not pass the server IP to the view. This information should not be exposed to the user.
- If you need to track the server IP for some reason, consider logging it server-side instead of sending it to the client.
- Always remember to sanitize and validate any data that is sent from the server to the client to prevent information leakage.
Compliant code
<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class HomeController extends Controller
{
public function index()
{
return view('home');
}
}
The original code was vulnerable because it was exposing the server's internal IP address to the client through the web page response. This is a type of technical information leak that can be exploited by attackers to gain more information about the server's internal structure.
The fixed code removes the line that retrieves the server IP address from the global $_SERVER
array and no longer passes the server IP to the view. This prevents the server's internal IP address from being exposed to the client.
If there is a need to track the server IP for some reason, it is recommended to log it server-side instead of sending it to the client. This way, the information is kept internal and not exposed to potential attackers.
It's also important to always sanitize and validate any data that is sent from the server to the client. This can help prevent information leakage and other types of vulnerabilities. In this case, since we are not sending any data from the server to the client, there is no need for sanitization or validation.