Laravel log viewer local file download (LFD)
Description
Laravel Log Viewer is a popular logging interface for Laravel 5.x, 4.2, and Lumen applications. Versions prior to v0.13.0 contain a path traversal vulnerability in the file download functionality. The application uses Base64 encoding to handle filenames in the l (list), dl (download), and del (delete) endpoints, but fails to properly validate the decoded file paths. This allows attackers to craft malicious Base64-encoded payloads containing directory traversal sequences (e.g., ../) to access files outside the intended log directory.
Remediation
Immediately upgrade Laravel Log Viewer to version <strong>v0.13.0</strong> or later, which includes proper input validation and path sanitization to prevent directory traversal attacks.<br/><br/>To upgrade using Composer, update your <strong>composer.json</strong> file:<br/><pre>"rap2hpoutre/laravel-log-viewer": "^0.13.0"</pre><br/>Then run:<br/><pre>composer update rap2hpoutre/laravel-log-viewer</pre><br/>If immediate patching is not possible, implement the following temporary mitigations:<br/>1. Restrict access to the log viewer routes using authentication middleware<br/>2. Implement IP whitelisting to limit access to trusted networks only<br/>3. Disable the log viewer in production environments until patching is complete<br/><br/>After upgrading, verify that the log viewer is only accessible to authorized administrators and review server logs for any suspicious file access attempts that may indicate prior exploitation.