We do keep seeing attackers "poking around" looking for enabled development features. Developers often use these features and plugins to aid in debugging web applications. But if left behind, they may provide an attacker with inside to the application. In their simplest form, these features provide detailed configuration information. More severe cases may leak credentials or even provide full remote code execution access.

Here are some I noted today:

/struts/webconsole.html

As the URL implies, this is a feature of Struts. This URL provides an ONGL console to execute arbitrary OGNL expression. Who needs OGNL injection vulnerabilities if the developer enabled a console like this? Sadly, it appears that this particular feature is enabled even if devMode is turned off! [1]

/telescope/requests

Telescope is a debug extension for the popular Laravel PHP framework. Usually, this should only be accessible in the "local" environment, and should not be enabled in production environments.

/server-status

The classic Apache "server-status" will display a snapshot of requests currently processed by the server. This may leak URLs which is in particular an issue if the URL includes credentials.

/logs/debug.log, /storage/logs/system.log and similar

Exposing logs is certainly an issue. There are several similar URLs that attackers are looking for. In some cases, this could even lead to XSS and RCE attacks if the attacker can inject specific log entries.

/phpunit/phpunit/Util/PHP/eval-stdin.php

Essentially a little web shell used by the PHP unit testing framework.

What did I miss?

[1] https://breakfix.co/posts/apache-struts2-ognl-console-and-devmode-exploitation/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|