• Creation
  • Validation
  • Communication & fix
  • Disclosure

MaisonRouge / Database credentials leak

reported 2021-09-16

Environment file

The website configuration is available at https://crewplanner.maisonrouge.be/.env .

It contains credentials to a FileMaker database accessible from internet.

Source code disclosure

The .git directory at https://crewplanner.maisonrouge.be/.git/config is unprotected.

The source code for the whole site can be downloaded and credentials extracted.

Resolution

Both .env and .git should be removed and/or hidden by the webserver

IP:
188.166.64.202
Port:
443
Detected protocol:
https
FM_DATABASE="maisonrouge"
FM_USERNAME="1MT"
FM_PASSWORD="<redacted>"
FM_HOST="https://database.maisonrouge.be"
Found by DotEnvConfigPlugin 2021-08-10
Report created by    BloodyShell  2021-09-16
Report edited by    BloodyShell  2021-09-16
Report approved by    BloodyShell  2021-09-16
New PDF report generated by system 2021-09-16
Report dispatched to ...@... by system 2021-09-16
Report dispatched to ...@... by system 2021-09-16
Report marked as fixed by    BloodyShell  2021-09-16
Report closed by    BloodyShell  2021-09-16
New PDF report generated by system 2021-09-16
Report edited by    BloodyShell  2021-09-17
New PDF report generated by system 2021-09-17
Report edited by    BloodyShell  2021-10-01
New PDF report generated by system 2021-10-01
Report edited by    BloodyShell  2021-10-04
New PDF report generated by system 2021-10-04
Information
Owner MaisonRouge
Created 2021-09-16 13:02
Updated 2021-10-16 11:35
Fixed true

Contacts
c...@maisonrouge.be
o...@maisonrouge.be

Status
Status closed
Hosting contacted false
CERT contacted false

Download report