CVE-2024-41931: Vvweb Pre-Auth PHP Stack-Trace and Source-Code Disclosure

Vulnerability Summary: Pre-authentication PHP Stack-Trace and Source-Code Disclosure via DEBUG=true Vulnerability Overview Vulnerability Name: Pre-authentication PHP Stack-Trace and Source-Code Disclosure via DEBUG=true CVE ID: CVE-2024-41931 Severity: High Affected Versions: <= 1.08.1 Fixed Version: 1.08.2 Reporter: CyberWarrior9 Description Issue: In development environments, causes detailed error pages to expose sensitive information such as paths, class names, source code, and stack frames. In production environments, these error pages should only display a generic 500 error. Specific Behavior: When is set, enables and . The global exception handler renders a debug page containing the exception message, absolute file path, line number, source code snippet, and stack frames. Trigger Condition: The administrator password reset module throws an unhandled exception, resulting in a 500 response and leaking sensitive information. Impact Scope Affected Components: - URL/endpoint: - HTTP Method: GET - Parameter/Location: None - Source Files: and - is enabled by default in the installation Impact Source Path Disclosure: Absolute container paths (e.g., ) are exposed for every module that throws an exception. Internal Namespace Disclosure: Internal class names such as are disclosed without authentication. Source Code Snippet Disclosure: The response renders the source code version of the line that threw the exception. Operational Reconnaissance Multiplier: VVKRAM and KHANDEBHARAD used this vulnerability to confirm internal paths and class names without requiring login. Remediation Immediate Workaround 1. Edit line 37 of , changing to for any non-development environment. 2. Restart the PHP-FPM / Apache container. Code Fixes 1. Set to as the default value in for production. Provide explicit or overrides for development. 2. Install global and to render a generic 500 page in production environments, excluding , , or source code snippet fields. 3. Fix the underlying (or correct namespace) import in so that the module no longer fails fatally on the first request. 4. Add static analysis checks (e.g., ) and a project-level CI step to isolate loading each controller to capture missing imports. Reproduction Steps 1. Start Burp Suite and confirm the Proxy is listening on . 2. Set the browser proxy to . 3. In Burp Proxy, turn off Intercept. 4. Navigate to in the browser. The browser renders a Vvweb-themed exception page. 5. View the page source and scroll to elements with the attributes , , , and . 6. In Burp Proxy, select the GET request and send it to Repeater. 7. In Repeater, click Send. The response is HTTP/1.1 500, and the response body is approximately 76 KB. Search for in the response body. Confirm that the absolute server path is present. 8. Prove that authentication is not required: In Burp Proxy, right-click the same GET request, send it to Repeater, remove the entire Cookie header, and click Send. The same 500 response is returned with the same leakage. Proof of Concept (POC) Captured Burp Request HTTP/1.1 500 Response Excerpt

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-41931: Vvweb Pre-Auth PHP Stack-Trace and Source-Code Disclosure

More from this source