Enabled default configuration
Need
Disable default configurations to prevent unauthorized access and information leakage.
Context
- Usage of PHP for server-side scripting and web development
- Usage of Laravel for PHP web application development
Description
Non compliant code
// This is the default Laravel welcome page route
Route::get('/', function () {
return view('welcome');
});
The above code snippet represents a route in a Laravel application that is serving the default welcome page when the base URL of the application is accessed.
This is part of the default configuration for a new Laravel application, where the root URL ("/") is mapped to a closure function that returns the "welcome" view. The "welcome" view is a default Laravel view which contains information about the Laravel framework and the server environment.
This configuration is vulnerable because an attacker can access this default page and obtain relevant technical information about the server and the Laravel framework version, which can be used to exploit known vulnerabilities in that specific version.
It is recommended to change this default configuration in a production environment, either by serving a custom page or by redirecting the base URL to another route. This way, the technical information about the server and the Laravel framework will not be exposed to potential attackers.
Steps
- Disable the default welcome page route in the Laravel application.
- Create a custom landing page or redirect to a specific page instead of the default welcome page.
- Ensure that the new page does not expose any sensitive server information.
- Regularly update and patch the server to prevent any potential security vulnerabilities.
Compliant code
// This is the default Laravel welcome page route
// Route::get('/', function () {
// return view('welcome');
// });
// Redirect to a specific page
Route::get('/', function () {
return redirect('/home');
});
The original code was vulnerable because it exposed the default Laravel welcome page, which could potentially provide an attacker with relevant technical information about the server.
The updated code comments out the original route that returned the default Laravel welcome page. Instead, it now redirects to a '/home' route. This '/home' route should be a custom landing page that does not expose any sensitive server information.
Remember to create this '/home' route and corresponding view if it does not already exist.
This change helps to secure the application by not exposing the default Laravel page and any potential server information it may contain.
In addition to this, it is recommended to regularly update and patch the server to prevent any potential security vulnerabilities.