Summary

Acunetix 360 identified a version disclosure (Tracy Debugging Tool) in the target web server's HTTP response.

Tracy has been used for error logging and debugging web applications. This vulnerability can cause highly sensitive data leaks on current sessions.

Impact

Tracy is a powerful tool that helps developers debug and resolve problems in their applications. However, it is configured improperly on the target website, and that allows attackers to gain information about requests and responses to the application. An attacker can obtain information such as:

  • Session cookies
  • Session state
  • Query string and post variables
  • Physical path of the requested file
  • SQL queries 
  • PHP notifications
  • Connection string to a database (including password and hostname)

This means that the attacker can hijack any active user’s session by using their session details, reveal how your website is made and invite a server attack, or access a database if credentials are present.

Remediation

You need to specify a constant Debugger::PRODUCTION to run tracy in production mode like:

Debugger::enable(Debugger::PRODUCTION);
Example code:

public function onAfterDebug(Container $c)

 {

     $p = $c->parameters;

     if (isset($p['forceDebug'])) {

         $mode = $p['forceDebug'] === FALSE ? Debugger::PRODUCTION : Debugger::DEVELOPMENT;

         Debugger::enable($mode, LOG_DIR, 'bugs+ns@netsparker.com');

     }

 }

Severity

Low

Classification

CAPEC-170 CWE-205 HIPAA-164.306(a) 164.308(a) ISO27001-A.18.1.3 WASC-13 OWASP 2013-A5 OWASP 2017-A6