In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
jrobles-r7 at July 12, 2019 5:33pm UTC reported:
The exploit depends on having a valid APP_KEY for the application. If the target Laravel Framework is vulnerable to CVE-2017-16894, then it would be possible to obtain the APP_KEY as an unauthenticated user. Also, if the environment has APP_DEBUG enabled, then it may be possible to retrieve the APP_KEY from error messages generated by Laravel Framework.
From Google searches, there appears to be several hosts that leak their APP_KEY.
Assessed Attacker Value: 4
Assessed Attacker Value: 5