DEF-032 — Admin panel /login and /logout routes return HTTP 405 and expose Laravel Ignition debug page

Admin Panel
High severity
Security
New
Defect DEF-032 — Severity: High · Status: New
Published

2026-06-17

DEF-032 — Admin panel /login and /logout routes return HTTP 405 and expose Laravel Ignition debug page

Summary

Navigating directly to /login or /logout via a browser GET request returns an HTTP 405 (Method Not Allowed) error that renders the full Laravel Ignition debug interface — including file paths, framework class names, line numbers, and a 31-frame call stack. The debug interface is publicly accessible with no authentication required.

This is the web-panel equivalent of DEF-029 (which covers the same root cause on the API layer). Both share the same root cause: APP_DEBUG=true is set on the production server.

Environment

  • URL (login): https://project6.dxtserver.com/drivelink_new/public/login
  • URL (logout): https://project6.dxtserver.com/drivelink_new/public/logout
  • Module: Admin Panel — Authentication
  • Area: Security / Error Handling
  • Date Reported: 2026-06-17
  • Testing Phase: Admin Panel — GBL-01 Authentication

Screenshots

GET /login → HTTP 405 + Ignition debug page

GET /login returns 405 and exposes Laravel Ignition stack trace

GET /logout → HTTP 405 + Ignition debug page

GET /logout returns 405 and exposes Laravel Ignition stack trace

Steps to Reproduce

For /login: 1. Open any browser while logged out. 2. Navigate directly to https://project6.dxtserver.com/drivelink_new/public/login. 3. Observe the response.

For /logout: 1. Navigate directly to https://project6.dxtserver.com/drivelink_new/public/logout. 2. Observe the response.

Expected Behaviour

Both routes should return a clean redirect or a simple JSON/HTML error response with no internal framework details exposed. Unauthenticated users mistyping the URL should never see server internals.

HTTP 405 Method Not Allowed
{"message": "Method not allowed."}

Or simply redirect GET /login to the actual login page at /.

Actual Behaviour

Both routes return an unhandled Laravel exception page rendered by the Ignition debug interface, visible to anyone:

Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException
vendor/laravel/framework/src/Illuminate/Routing/AbstractRouteCollection.php:130

The GET method is not supported for route login. Supported methods: POST.

LARAVEL 12.56.0   PHP 8.2.31   ⚠ UNHANDLED   CODE 0

Exposed information includes: - Server-side file path: vendor/laravel/framework/src/Illuminate/Routing/AbstractRouteCollection.php - Laravel version: 12.56.0 - PHP version: 8.2.31 - Full 31-frame call stack from public/index.php through every middleware layer

Root Cause

Same as DEF-029: APP_DEBUG=true is set in the server’s .env file on a publicly accessible production server. This must only ever be enabled in local development environments.

Fix

Set APP_DEBUG=false in the server’s .env file and restart the application. This is a single-line change with no code modifications required and resolves this defect and DEF-029 simultaneously.

Additionally, consider adding a route for GET /login that redirects to / (the actual login page) to prevent the 405 altogether.

Impact

  • Discloses the exact Laravel and PHP versions installed on the server
  • Reveals internal framework file paths and the complete middleware chain
  • Accessible by any unauthenticated user — no credentials required
  • Classified as CWE-209: Generation of Error Message Containing Sensitive Information

Severity

High (Security)

Priority

High — Same root cause as DEF-029; fix is a one-line change.

Status

New

Reported By

QA / Testing Team