Summary #

Netsparker identified a version disclosure (Tracy Debugging Tool) in the target web server's HTTP response.

Tracy has been used for error logging and debugging web applications. This vulnerability can cause highly sensitive data leaks on current sessions.

Impact #

Tracy is a powerful tool that helps developers debug and resolve problems in their applications. However, it is configured improperly on the target website, and that allows attackers to gain information about requests and responses to the application. An attacker can obtain information such as:

  • Session cookies
  • Session state
  • Query string and post variables
  • Physical path of the requested file
  • SQL queries 
  • PHP notifications
  • Connection string to a database (including password and hostname)

This means that the attacker can hijack any active user’s session by using their session details, reveal how your website is made and invite a server attack, or access a database if credentials are present.

Remediation #

You need to specify a constant Debugger::PRODUCTION to run tracy in production mode like:

Debugger::enable(Debugger::PRODUCTION);
Example code:

public function onAfterDebug(Container $c)

 {

     $p = $c->parameters;

     if (isset($p['forceDebug'])) {

         $mode = $p['forceDebug'] === FALSE ? Debugger::PRODUCTION : Debugger::DEVELOPMENT;

         Debugger::enable($mode, LOG_DIR, 'bugs+ns@netsparker.com');

     }

 }
Classifications #
CAPEC-170; CWE-205; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-13; OWASP 2013-A5; OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo