- Creation
- Validation
- Communication & fix
- Disclosure
MaisonRouge / Database credentials leak
BloodyShell
reported 2021-09-16
Environment file
The website configuration is available at https://crewplanner.maisonrouge.be/.env .
It contains credentials to a FileMaker database accessible from internet.
Source code disclosure
The .git directory at https://crewplanner.maisonrouge.be/.git/config is unprotected.
The source code for the whole site can be downloaded and credentials extracted.
Resolution
Both .env and .git should be removed and/or hidden by the webserver
IP:
188.166.64.202Port:
443Detected protocol:
httpsVulnerable URL:
https://crewplanner.maisonrouge.be/.envFM_DATABASE="maisonrouge"
FM_USERNAME="1MT"
FM_PASSWORD="<redacted>"
FM_HOST="https://database.maisonrouge.be"
Found by DotEnvConfigPlugin 2021-08-10
Report created by
BloodyShell
2021-09-16
BloodyShell
2021-09-16
Report edited by
BloodyShell
2021-09-16
BloodyShell
2021-09-16
Report approved by
BloodyShell
2021-09-16
BloodyShell
2021-09-16
New PDF report generated by system 2021-09-16
Report dispatched to ...@... by system 2021-09-16
Report dispatched to ...@... by system 2021-09-16
Report marked as fixed by
BloodyShell
2021-09-16
BloodyShell
2021-09-16
Report closed by
BloodyShell
2021-09-16
BloodyShell
2021-09-16
New PDF report generated by system 2021-09-16
Report edited by
BloodyShell
2021-09-17
BloodyShell
2021-09-17
New PDF report generated by system 2021-09-17
Report edited by
BloodyShell
2021-10-01
BloodyShell
2021-10-01
New PDF report generated by system 2021-10-01
Report edited by
BloodyShell
2021-10-04
BloodyShell
2021-10-04
New PDF report generated by system 2021-10-04
Information
Owner
MaisonRouge
Created
2021-09-16 13:02
Updated
2021-10-18 08:11
Fixed
true
Contacts
c...@maisonrouge.be
o...@maisonrouge.be
Status
Status
closed
Hosting contacted
false
CERT contacted
false
Download report