• Creation
  • Validation
  • Communication & fix
  • Disclosure

credentia.biz / Credentials leak due to exposure of .env file

reported 2021-09-16

Description

Certain credentials are exposed due to the exposure of .env file.

Exposing URL

https://fms.credentia.biz/.env

Resolution

.env should be removed and/or hidden by the webserver

IP:
14.141.50.203
Port:
443
Detected protocol:
https
APP_NAME=CREDENTIA
APP_ENV=local
APP_KEY=base64:<redacted>
APP_DEBUG=true
APP_URL=http://localhost:/crendentia

LOG_CHANNEL=stack

DB_CONNECTION=mysql_credentia
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=live_credentia_default
DB_USERNAME=root
DB_PASSWORD=<redacted>

BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_USERNAME=jaspreet@credentia.biz
MAIL_PASSWORD=<redacted>
MAIL_ENCRYPTION=tls

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

EUROSIGN=£
PERCENTAGESIGN=%
VOLUME=Litres
GROSSMARGIN=ppl
LITRE=ℓ

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
Found by DotEnvConfigPlugin 2021-09-15
Report created by    iampritam  2021-09-16
Report approved by    BloodyShell  2021-09-16
New PDF report generated by system 2021-09-16
Report dispatched to ...@... by system 2021-09-16
BloodyShell commented 2021-09-17: approved doesn't show in report

Looks fixed ! It's now 403.

Report comment dispatched to iampritam by system 2021-09-17
Report marked as fixed by    iampritam  2021-09-17
Report closed by    iampritam  2021-09-18
New PDF report generated by system 2021-09-18
Report edited by    BloodyShell  2021-10-04
New PDF report generated by system 2021-10-04
Information
Owner credentia.biz
Created 2021-09-16 15:23
Updated 2021-10-05 17:36
Fixed true

Contacts
i...@credentia.biz

Status
Status closed
Hosting contacted false
CERT contacted false

Download report