URL Injection Triggers FatalErrorException

1

Hi,

I am using Cake5. In my error.log, I notice this url-call which causes a fatal error.
How come url-parameters can trigger a call to Laminas ? Will outsiders be able to inject files in this way ?

/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php

2024-07-01 09:31:25 error: [Laminas\Diactoros\Exception\InvalidArgumentException] Invalid path provided; must not contain a query string in /var/www/html/labour/project/vendor/laminas/laminas-diactoros/src/Uri.php on>
Stack Trace:
- /var/www/html/labour/project/vendor/cakephp/cakephp/src/Http/UriFactory.php:102
- /var/www/html/labour/project/vendor/cakephp/cakephp/src/Http/UriFactory.php:64
- /var/www/html/labour/project/vendor/cakephp/cakephp/src/Http/ServerRequestFactory.php:57
- /var/www/html/labour/project/vendor/cakephp/cakephp/src/Http/Server.php:86
- /var/www/html/labour/project/webroot/index.php:37
- [main]:

2024-07-01 09:31:25 error: [Cake\Error\FatalErrorException] Fatal Error: Uncaught Cake\Error\FatalErrorException: [Laminas\Diactoros\Exception\InvalidArgumentException] Invalid path provided; must not contain a query>
Stack trace:
#0 [internal function]: Cake\Error\ErrorTrap->handleError()
#1 /var/www/html/labour/project/vendor/cakephp/cakephp/src/Error/ExceptionTrap.php(377): trigger_error()
#2 /var/www/html/labour/project/vendor/cakephp/cakephp/src/Error/ExceptionTrap.php(241): Cake\Error\ExceptionTrap->logInternalError()
#3 [internal function]: Cake\Error\ExceptionTrap->handleException()
#4 {main}
  thrown in /var/www/html/labour/project/vendor/cakephp/cakephp/src/Error/ExceptionTrap.php on line 377
Stack Trace:
- /var/www/html/labour/project/vendor/cakephp/cakephp/src/Error/ExceptionTrap.php:277
- [internal]:??
- [main]:
2

The exception is actually your indication that the system is correctly blocking this attack attempt.

3

But my index-action is just a very simple-dummy action file. Why should it trigger it ?

public function index() {
        // doesn't take any inputs or do any actions.
        $articles = '';
        $this->set(compact('articles' ));
        $this->viewBuilder()
            ->setOption('serialize', ['articles'])
            ->setClassName('Json');

}
4

From the stack trace, you can see that it’s never even reaching your function. The system is detecting an invalid attack URL at a much earlier stage, and aborting the request.