On January 12, 2024, a security flaw with the identifier CVE-2023-49283 was made public, highlighting a critical threat lying dormant in the Microsoft Graph Beta PHP SDK. The vulnerability is quite straightforward—a test file inside the SDK package can disclose sensitive system information if your server is misconfigured. In this post, we'll break down what happened, how the vulnerability works (with code snippets), and what you can do to stay secure.
What Exactly is the Issue?
The problem was discovered in microsoft/graph-core, the official PHP SDK that allows developers easy access to the Microsoft Graph API. The affected versions shipped with a test file:
vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php
This script, intended for development use only, called the phpinfo() function. It's meant to display configuration information about the PHP environment—which can be useful for developers, but very dangerous if exposed to the internet.
Active configuration flags
When an attacker gains access to this info, they can plan more complex attacks (like privilege escalation, or extracting database credentials from environment variables).
Exploit Details
CVE-2023-49283 isn't a bug in the code logic. Instead, it's about the presence of this test script combined with a misconfigured server.
The vulnerable file looks like this
<?php
// File: vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php
phpinfo();
That's it. If your web server allows direct access to the /vendor directory (common when proper rules aren’t set in .htaccess or nginx configs), an attacker could just:
http://your-site.com/vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php
And instantly see your full PHP info!
The vulnerable SDK (*prior to 2..2*) is installed and deployed as-is.
2. /vendor directory is web accessible (which should not be the case in production, but is sometimes enabled for convenience or due to oversight).
When both conditions are met, the attacker can simply visit the URL and view sensitive info.
Official Patch
A security fix is available in version 2..2 (or newer) of microsoft/graph-core. See the official advisory.
- Upgrade instructions
1. Delete the Vulnerable File
rm vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php
#### 2. Block Web Access to /vendor
Apache: Add this to .htaccess
RedirectMatch 404 ^/vendor/
Nginx:
location ~* /vendor/ { deny all; }
Add this to your php.ini
disable_functions = ... ,phpinfo
---
Quick PHP script to detect presence of the vulnerable file
<?php
$path = __DIR__ . '/vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php';
if (file_exists($path)) {
echo "Warning: Vulnerable file found at $path\n";
// Optionally delete automatically:
// unlink($path);
}
?>
References
- Official Microsoft Security Advisory
- CVE Record for CVE-2023-49283
- CISA Known Exploited Vulnerabilities Catalog
- Upgrading Composer Packages
Scan your PHP projects (especially those using Microsoft Graph Beta SDK).
- Make sure /vendor is not web-accessible in production.
Patch your dependencies regularly.
- Remove any test/dev files from deployment builds.
Final Thoughts
CVE-2023-49283 is a perfect example of how "small" oversights can become major security risks, thanks to real-world deployment mistakes. Always audit your dependencies and your webroot, and keep an eye on package updates!
Timeline
Published on: 12/05/2023 23:15:07 UTC
Last modified on: 12/12/2023 13:24:42 UTC