How to Solve Facade\Ignition\Http\Middleware\IgnitionEnabled?

Question

----------------------------------------------------------------------------------+
| Domain | Method   | URI                        | Name             | Action                                                                 | Middleware
                                                                                  |
+--------+----------+----------------------------+------------------+------------------------------------------------------------------------+--------------------------------------------------
----------------------------------------------------------------------------------+
|        | GET|HEAD | /                          |                  | Closure                                                                | web
                                                                                  |
|        | POST     | _ignition/execute-solution |                  | Facade\Ignition\Http\Controllers\ExecuteSolutionController             | Facade\Ignition\Http\Middleware\IgnitionEnabled,F
acade\Ignition\Http\Middleware\IgnitionConfigValueEnabled:enableRunnableSolutions |
|        | GET|HEAD | _ignition/health-check     |                  | Facade\Ignition\Http\Controllers\HealthCheckController                 | Facade\Ignition\Http\Middleware\IgnitionEnabled
                                                                                  |
|        | GET|HEAD | _ignition/scripts/{script} |                  | Facade\Ignition\Http\Controllers\ScriptController                      | Facade\Ignition\Http\Middleware\IgnitionEnabled
                                                                                  |
|        | POST     | _ignition/share-report     |                  | Facade\Ignition\Http\Controllers\ShareReportController                 | Facade\Ignition\Http\Middleware\IgnitionEnabled,F
acade\Ignition\Http\Middleware\IgnitionConfigValueEnabled:enableShareButton       |
|        | GET|HEAD | _ignition/styles/{style}   |                  | Facade\Ignition\Http\Controllers\StyleController                       | Facade\Ignition\Http\Middleware\IgnitionEnabled

What do you mean by "solve"? What's the problem? – ceejayoz Oct 05 '19 at 17:47 — ceejayoz, Oct 05 '19 at 17:47

score 12 · Answer 1 · answered Feb 10 '21 at 23:00

12

If you have a lot of POST request /_ignition/execute-solution in your production server by a random attacker and you notice that request call to the following controller and middlewares:

Controller  Facade\Ignition\Http\Controllers\ExecuteSolutionController
Middleware  Facade\Ignition\Http\Middleware\IgnitionEnabled, Facade\Ignition\Http\Middleware\IgnitionConfigValueEnabled:enableRunnableSolutions

you have to set APP_DEBUG to false in your .env file instead of removing the Facade/Ignition package.

answered Feb 10 '21 at 23:00

pableiros

14,932
12
99
105

Can you explan a bit more @pableiros? – Stanislav Stankov Mar 12 '21 at 16:03
@StanislavStankov an attacker is trying to do "remote code execution" in the server using a exploit (sort of) from `Ignition`. For more info: https://www.ambionics.io/blog/laravel-debug-rce – pableiros Mar 12 '21 at 17:00
Another discussion https://github.com/facade/ignition/issues/350 – gorodezkiy Jul 07 '21 at 05:56
Is there anyway to block the following url (endpoint) with .htaccess so apache mod_rewrite module can prevent it ? – Waqas Ghouri Aug 31 '21 at 03:35

Salim Djerbouh · Accepted Answer · 2020-04-25T14:59:08.430

8

It's not a problem to solve, these are the routes of the new debugging package for Laravel 6 called Facade/Ignition

They are required so Laravel can show you errors when they occur

So just ignore them

However, if you want to remove these routes (which is not recommended), you can remove this line from composer.json

 "require-dev": {
        "facade/ignition": "^1.4", <--- Remove this one
        "fzaninotto/faker": "^1.4",
        "mockery/mockery": "^1.0",
        "nunomaduro/collision": "^3.0",
        "phpunit/phpunit": "^8.0"
    },

And run

composer update

But then you wouldn't see custom error pages but the default PHP7 errors table and stack trace.

You can still get the old package filp/whoops by installing it

composer require filp/whoops

edited Apr 25 '20 at 14:59

answered Oct 05 '19 at 15:04

Salim Djerbouh

10,719
6
29
61

I also got this error. When I remove Facade/Ignition i get a much more accurate error screen. So why should I keep it? – Floris Jun 04 '20 at 11:10
1

Latest version of Laravel uses Flare to display errors, and it's much better IMO – Salim Djerbouh Jun 04 '20 at 13:55

score 3 · Answer 3 · answered Oct 18 '21 at 11:47

3

Up to date solution for this problem:

Update facade/ignition:

composer update facade/ignition

If you don't have config/ignition.php then run:

php artisan vendor:publish --tag=ignition-config

Then make this edition:

'enable_runnable_solutions' => false,

answered Oct 18 '21 at 11:47

Stalinko

3,319
28
31

Does this have any side effect when using in a Laravel project? – realtebo Mar 31 '22 at 08:59
1

@realtebo nothing serious unless you really used that feature for debugging. Anyway you can separately enable it in your local env. More details: https://flareapp.io/docs/ignition-for-laravel/security – Stalinko Mar 31 '22 at 09:24
where to make the edition 'enable_runnable_solutions' => false, – mrtechmaker Jan 14 '23 at 07:44
@mrtechmaker in `config/ignition.php` – Stalinko Jan 14 '23 at 18:00

How to Solve Facade\Ignition\Http\Middleware\IgnitionEnabled?

3 Answers3