• Creation
  • Validation
  • Communication & fix
  • Disclosure

Safran Group / Exposure of public .env file
Deleted user reported 2021-10-09

A public accessible .env has been found, potentially leaking personal information : https://37.59.32.49/.env

IP:
37.59.32.49
Port:
443
Detected protocol:
https
Vulnerable URL:
https://37.59.32.49/.env 
APP_NAME="Safran Meeting Beta"
APP_ENV=production
APP_KEY=base64:<redacted>
APP_DEBUG=false
APP_URL=https://beta.join.meeting.safran-group.com

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=jitsi_db
DB_USERNAME=jitsi_compte
DB_PASSWORD=<redacted>

BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=<redacted>
MAIL_PASSWORD=<redacted>
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=noreply@beta.meeting.safran-group.com
#MAIL_FROM_ADDRESS=no<redacted>
MAIL_FROM_NAME="Safran Jitsi Beta"

SERVER_KEY="Server Key"
CLIENT_KEY="Client Key"
NB_ITERATION=4096

LEGALS_VERSION=1

JWT_KEY=<redacted>

FILE_LEGALS_LOG="/var/log/legals/legals_log.txt"
FILE_ALERT_LOG="/var/log/legals/delete_log.txt"

JITSI_URL=https://beta.meeting.safran-group.com
JITSI_MOBILE_URL=org.jitsi.meet:https://beta.meeting.safran-group.com

PROSODY_PATH="/var/log/prosody_accounts/"

LENGTH_ROOM=40
LENGTH_ROOM_MIN=30
LENGTH_ROOM_MAX=70

APP_STORE_IOS="https://itunes.apple.com/us/app/jitsi-meet/id1165103905"
APP_STORE_ANDROID="https://play.google.com/store/apps/details?id=org.jitsi.meet"
APP_URL_SUBDOMAIN=""
Found by DotEnvConfigPlugin 2021-07-21
Report created by deleted-user  2021-10-09
Report approved by deleted-user  2021-10-09
New PDF report generated by system 2021-10-09
Report dispatched to ...@... by system 2021-10-09
Report dispatched to ...@... by system 2021-10-09
BloodyShell commented 2021-10-11: approved shows in report 

Server seems offline, let's wait 24h and close.

New PDF report generated by system 2021-10-11
Report comment dispatched to zythop by system 2021-10-11
Report comment dispatched to dns.admin@safran.fr by system 2021-10-11
Report comment dispatched to cert-fr.cossi@ssi.gouv.fr by system 2021-10-11
Report marked as fixed by BloodyShell  2021-10-13
Report closed by BloodyShell  2021-10-13
New PDF report generated by system 2021-10-13
Report edited by BloodyShell  2021-10-21
New PDF report generated by system 2021-10-21
Information
Owner Safran Group
Created 2021-10-09 10:04
Updated 2021-10-21 12:49
Fixed true
Contacts
d...@safran.fr
c...@ssi.gouv.fr
Status
Status closed
Hosting contacted false
CERT contacted false
Download report

© 2024 LeakIX
About LeakIX - Credits - Take-down and blacklist requests - Security issues - Terms and conditions - Cookie policy - Legal notice