Summary
Security audit of LavaLite CMS identified 5 vulnerabilities in the Filer module and auth guard configuration.
Findings
1. CRITICAL: Unauthenticated File Download and Display
File: Litepie/Filer/routes/web.php:8-9, Litepie/Filer/Http/Controllers/FileController.php:19-32
Routes GET /filer/download/{disk}/{path?} and GET /filer/display/{disk}/{path?} have zero authentication. The FileController extends Controller (no auth), NOT ResourceController (which has auth). The {disk} parameter is user-controlled and maps to configured disks including local (which points to storage/app/).
Attack: GET /filer/download/local/uploads/{any_private_file_path} — no authentication.
Comparison: File UPLOAD via web routes goes through {guard} prefix, meaning ResourceController's auth middleware protects uploads. Download/display routes are NOT behind any guard.
2. CRITICAL: Unauthenticated File Upload via API
File: Litepie/Filer/routes/api.php:3-6, Litepie/Filer/Providers/RouteServiceProvider.php:35-40
POST /api/{guard}/upload/{config}/{path?} is under the api middleware group which only includes ThrottleRequests and SubstituteBindings — no auth middleware. Any unauthenticated user can upload files.
3. HIGH: Admin/User Guard Confusion — Shared Provider
File: config/auth.php:40-63
Both admin and user guards share the same users provider (same table, same model). The set.guard middleware sets the active guard from URL prefix. This allows user-authenticated sessions to access admin routes via URL manipulation.
4. HIGH: Setting Store Only Checks View Permission
File: Litepie/Setting/Http/Requests/SettingResourceRequest.php
The authorize() method only checks view permission on the Setting model regardless of HTTP method. POST (store) operations only require view permission, not create or update.
5. MEDIUM: Default Super Admin Credentials
Default admin credentials admin@lavalite.org / admin@lavalite are documented and seeded.
Impact
Unauthenticated file upload and download. Privilege escalation from user to admin via guard confusion.
Recommended Fix
- Add auth middleware to Filer routes
- Separate admin and user auth providers
- Add proper permission checks for setting store
Summary
Security audit of LavaLite CMS identified 5 vulnerabilities in the Filer module and auth guard configuration.
Findings
1. CRITICAL: Unauthenticated File Download and Display
File:
Litepie/Filer/routes/web.php:8-9,Litepie/Filer/Http/Controllers/FileController.php:19-32Routes
GET /filer/download/{disk}/{path?}andGET /filer/display/{disk}/{path?}have zero authentication. TheFileControllerextendsController(no auth), NOTResourceController(which has auth). The{disk}parameter is user-controlled and maps to configured disks includinglocal(which points tostorage/app/).Attack:
GET /filer/download/local/uploads/{any_private_file_path}— no authentication.Comparison: File UPLOAD via web routes goes through
{guard}prefix, meaningResourceController's auth middleware protects uploads. Download/display routes are NOT behind any guard.2. CRITICAL: Unauthenticated File Upload via API
File:
Litepie/Filer/routes/api.php:3-6,Litepie/Filer/Providers/RouteServiceProvider.php:35-40POST /api/{guard}/upload/{config}/{path?}is under theapimiddleware group which only includesThrottleRequestsandSubstituteBindings— noauthmiddleware. Any unauthenticated user can upload files.3. HIGH: Admin/User Guard Confusion — Shared Provider
File:
config/auth.php:40-63Both
adminanduserguards share the sameusersprovider (same table, same model). Theset.guardmiddleware sets the active guard from URL prefix. This allows user-authenticated sessions to access admin routes via URL manipulation.4. HIGH: Setting Store Only Checks View Permission
File:
Litepie/Setting/Http/Requests/SettingResourceRequest.phpThe
authorize()method only checksviewpermission on the Setting model regardless of HTTP method. POST (store) operations only requireviewpermission, notcreateorupdate.5. MEDIUM: Default Super Admin Credentials
Default admin credentials
admin@lavalite.org/admin@lavaliteare documented and seeded.Impact
Unauthenticated file upload and download. Privilege escalation from user to admin via guard confusion.
Recommended Fix