• Creation
  • Validation
  • Communication & fix
  • Disclosure

arpce / Exposure of public .env file

reported 2021-10-09

A public accessible .env has been found, leaking credentials and personal information :

https://151.80.240.56/.env

Any credentials present in this file should also so be reset.

IP:
151.80.240.56
Port:
443
Detected protocol:
https
Vulnerable URL:
https://151.80.240.56/.env
APP_NAME=ARPCE
APP_ENV=local
APP_KEY=base64:<redacted>
APP_DEBUG=false
APP_LOG_LEVEL=debug
APP_URL=http://www.arpce.cg/
ADMIN_MAIL=<redacted>@expertel-communication.com

DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=arpce_prod
DB_USERNAME=arpce_prod 
DB_PASSWORD=<redacted>

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.expertel-communication.com
MAIL_PORT=587
MAIL_USERNAME=<redacted>@expertel-communication.com
MAIL_PASSWORD=<redacted>
MAIL_ENCRYPTION=null

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
Found by DotEnvConfigPlugin 2021-07-26
Report created by    zythop  2021-10-09
Report edited by    zythop  2021-10-09
Report edited by    BloodyShell  2021-10-09
Report approved by    BloodyShell  2021-10-09
New PDF report generated by system 2021-10-09
Report dispatched to ...@... by system 2021-10-09
Report dispatched to ...@... by system 2021-10-09
Report marked as fixed by    BloodyShell  2021-10-10
Report closed by    BloodyShell  2021-10-10
New PDF report generated by system 2021-10-10
Report edited by    zythop  2021-10-10
New PDF report generated by system 2021-10-10
Information
Owner arpce
Created 2021-10-09 11:09
Updated 2021-10-10 13:51
Fixed true

Contacts
a...@arpce.cg
c...@arpce.cg

Status
Status closed
Hosting contacted false
CERT contacted false

Download report