Description

Flight vulnerable to sensitive information disclosure via default error handler

Summary

The default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal).

Affected code

flight/Engine.php (≈ lines 678-704):

public function _error(Throwable $e): void
{
    ...
    $msg = sprintf(<<<'HTML'
        <h1>500 Internal Server Error</h1>
            <h3>%s (%s)</h3>
            <pre>%s</pre>
        HTML,...
Show more

No flight.debug check, no environment gating.

Proof of concept

Any uncaught exception — including those auto-raised from handleError() — returns:

HTTP/1.1 500 Internal Server Error

<h1>500 Internal Server Error</h1>
  <h3>secret path /var/www/config/db.yml; token=LEAKED123 (0)</h3>
  <pre>#0 [internal function]: {closure}()
  #1 /home/user/app/vendor/flightphp/core/flight/core/Dispatcher.php(361)...
  #2 /home/user/app/vendor/flightphp/core/flight/Engine.php(...)
  ......
Show more

Reproduced against the live PoC app at /poc5/error.

Impact

Disclosure of absolute filesystem paths (primes weaponization of LFI / path-traversal vulnerabilities in the same application).

Disclosure of secrets (DB credentials, API tokens) when exceptions are constructed with interpolated configuration values.

Enumeration of installed vendor packages and internal application structure.

Patch (fixed in 3.18.1, commit b8dd23a)

A new flight.debug setting (default false) gates the verbose output. In production the handler now emits only <h1>500 Internal Server Error</h1>. Developers can set flight.debug = true in local environments to restore the full trace output.

Credit

Discovered by @Rootingg.

Mitigation

Aliases

References