Laravel log file publicly accessible
Description
Laravel is a widely-used PHP web application framework that generates detailed log files for debugging and monitoring purposes. A Laravel log file (/storage/logs/laravel.log) has been found publicly accessible on this web server. These log files typically contain application errors, stack traces, database queries, user input data, and system configuration details that should never be exposed to unauthorized users. Public access to this file represents a significant information disclosure vulnerability that can aid attackers in reconnaissance and exploitation activities.
Remediation
Immediately restrict public access to the Laravel log file and all files within the /storage/ directory. Implement the following remediation steps:
1. Configure web server access controls: Add deny rules to prevent direct access to the storage directory. For Apache, add to your .htaccess file:
<Directory /path/to/laravel/storage>
Require all denied
</Directory>For Nginx, add to your server configuration:
location ~* ^/storage/ {
deny all;
return 404;
}2. Verify directory structure: Ensure your Laravel application is properly configured with the document root pointing to the /public directory only, not the application root. The storage directory should never be within the web-accessible path.
3. Review logging practices: Configure Laravel to avoid logging sensitive data by customizing log channels in config/logging.php and sanitizing sensitive information before logging.
4. Implement log rotation: Configure automatic log rotation and retention policies to minimize the window of exposure for any logged sensitive data.
5. Audit existing logs: Review current log files for any exposed credentials or sensitive data and rotate/delete them if necessary.