he PHP programming language was first released in 1995, but 23 years later hundreds if not thousands of website developers are still failing to understand the basic concept that debugging and error reporting messages may contain information that can lead to a hack and should never be left activated on a live website. This is still a problem, even today, in 2018, according to Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken. Diachenko has recently carried out an internet-wide search looking for websites coded in Laravel, a PHP framework for building web apps, that were exposing their debug mode. “I have […] come up with a stunning list of 566 IPs,” said Diachenko in research published today. The information contained in Laravel’s debug mode can range, depending on what framework features the website or web app has used, from basic hints about an error’s location in the source code to cases where the debug message blurts out highly sensitive database and API credentials. “This information might help an attacker gain more information and potentially to focus on the development of further attacks to the target system,” Diachenko said. The most dangerous cases were, obviously, websites that printed database and API credentials in cleartext via Laravel’s debug mode messages. “For the last two weeks, I have responsibly notified 22 companies which credentials were exposed in such manner,” Diachenko said. The one incident that stood out above all others in Diachenko’s recent study was the case of PrestoDaycare, a… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.