Laravel LogViewer open
Description
The Laravel application has the ARCANEDEV LogViewer package installed and publicly accessible without authentication. LogViewer is a development and debugging tool that provides a web interface to view application logs. When exposed in production environments, it allows unauthorized users to access detailed application logs containing sensitive information such as database queries, API keys, user data, file paths, stack traces, and internal application logic.
Remediation
Disable LogViewer in production environments or implement strict access controls. To disable, remove or comment out the LogViewer service provider registration in config/app.php:
// Remove or comment out: // Arcanedev\LogViewer\LogViewerServiceProvider::class,
Alternatively, protect the LogViewer routes with authentication middleware by modifying the LogViewer configuration in
config/log-viewer.php:'middleware' => ['web', 'auth', 'admin'],
Or restrict access by IP address in your web server configuration. For Apache, add to
.htaccess:<Location /log-viewer>
Require ip 192.168.1.0/24
</Location>Verify that LogViewer routes are not accessible to unauthorized users after implementing controls.