• Creation
  • Validation
  • Communication & fix
  • Disclosure

Clanvi / Credentials exposure trough .env file

reported 2021-10-08

Description

Certain credentials are public due to the exposure of .env file at:

https://is.prod.clanvi.com/.env

Resolution

  • .env should be removed and/or hidden by the webserver.
  • All impacted credentials should be reset.
  • Database servers should be investigated for potential leaks.
IP:
31.184.213.6
Port:
443
Detected protocol:
https
APP_DEBUG=false
APP_URL=https://is.clanvi.com/
APP_KEY=<redacted>
APP_ENV=production
#APP_ENV=staging
#APP_ENV=testing
#APP_ENV=development

DB_CONNECTION=mysql
DB_PG_CONNECTION=mysql
# подключение к базе ERP
DB_PG_HOST=<redacted>
DB_PG_PORT=5000
DB_PG_DATABASE=isclan
DB_PG_USERNAME=isclan
DB_PG_PASSWORD=<redacted>
DB_PG_SCHEMA=public0921

# подключение к базе магазина
DB_PG2_HOST=<redacted>
DB_PG2_PORT=5000
DB_PG2_DATABASE=apiclan
DB_PG2_USERNAME=apiclan
DB_PG2_PASSWORD=<redacted>
DB_PG2_SCHEMA=public

# OLD with stocks
DB_PG_DATABASE2=isclan
DB_PG_SCHEMA2=public0913

REDIS_HOST=<redacted>
REDIS_PASSWORD=<redacted>
REDIS_PORT=6379

CACHE_DRIVER=redis

SESSION_DRIVER=redis

QUEUE_DRIVER=database
QUEUE_CONNECTION = "redis"
QUEUE_DEFAULT = "default"
QUEUE_RETRY_AFTER = 90

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailgun.org
MAIL_PORT=587
MAIL_ENCRYPTION=tls
MAIL_USERNAME=null
MAIL_PASSWORD=null

ROUTES_CACHE=false
ASSET_CACHE=false
LINK_POLICY=secure
ENABLE_CSRF=false

DADATA_TOKEN=<redacted>
DADATA_SECRET=<redacted>

SFTP_HOST=clanvi.hpdev.ru
SFTP_PORT=7
SFTP_USERNAME=ubuntu
SFTP_PASSWORD=<redacted>
#SFTP_PRIVATE_KEY_PATH="~/.ssh/id_rsa"
SFTP_ROOT="/home/ubuntu/clanvi-api/media/"

#STORAGE
DEFAULT_STORAGE=selectel
SHOP_STORAGE=prod
INNER_SHOP_DIR=

SELECTEL_USERNAME=<redacted>
SELECTEL_PASSWORD=<redacted>
SELECTEL_CONTAINER=clan6
SELECTEL_DOMAIN=<redacted>

SYNC_API_URL=https://api.clanvi.com
ORDER_SYNC_API_LINK=/api/orders/set_status/
ORDER_SYNC_API_FLAG=true
ORDER_SYNC_API_KEY=<redacted>
DPD_SYNC_API_LINK=/api/orders/generate_dpd_track_number/

UPDATE_CRON_TIME=60


AUTH_KEY=<redacted>


ONESIGNAL_APP_ID=<redacted>
ONESIGNAL_REST_API_KEY=<redacted>
Found by DotEnvConfigPlugin 2021-09-17
Report created by    linkks  2021-10-08
Report edited by    linkks  2021-10-08
Report edited by    BloodyShell  2021-10-08
Report approved by    BloodyShell  2021-10-08
New PDF report generated by system 2021-10-08
Report dispatched to ...@... by system 2021-10-08
Report marked as fixed by    BloodyShell  2021-10-09
Report closed by    BloodyShell  2021-10-09
New PDF report generated by system 2021-10-09
Information
Owner Clanvi
Created 2021-10-08 07:55
Updated 2021-10-09 16:02
Fixed true

Contacts
i...@clanvi.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report