Laravel log viewer local file download (LFD)
Description
Laravel Log Viewer is a popular logging interface for Laravel 5.x, 4.2, and Lumen applications. Versions prior to v0.13.0 contain a path traversal vulnerability in the file download functionality. The application uses Base64 encoding to handle filenames in the l (list), dl (download), and del (delete) endpoints, but fails to properly validate the decoded file paths. This allows attackers to craft malicious Base64-encoded payloads containing directory traversal sequences (e.g., ../) to access files outside the intended log directory.
Remediation
Immediately upgrade Laravel Log Viewer to version v0.13.0 or later, which includes proper input validation and path sanitization to prevent directory traversal attacks.
To upgrade using Composer, update your composer.json file:
"rap2hpoutre/laravel-log-viewer": "^0.13.0"
Then run:
composer update rap2hpoutre/laravel-log-viewer
If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict access to the log viewer routes using authentication middleware
2. Implement IP whitelisting to limit access to trusted networks only
3. Disable the log viewer in production environments until patching is complete
After upgrading, verify that the log viewer is only accessible to authorized administrators and review server logs for any suspicious file access attempts that may indicate prior exploitation.