• Creation
  • Validation
  • Communication & fix
  • Disclosure

datahq.co.uk / Exposure of public .env file

zythop reported 2021-10-23

A public accessible .env has been found, potentially leaking personal information : http://217.19.225.20/.env

IP:
217.19.225.20
Port:
80
Detected protocol:
http
Vulnerable URL:
http://217.19.225.20/.env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=<redacted>
APP_DEBUG=true
APP_URL=http://my.datahq.eu

LOG_CHANNEL=rollbar

DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=datahq2
DB_USERNAME=datahq
DB_PASSWORD=<redacted>

MS_DB_CONNECTION=sqlsrv
MS_DB_HOST=<redacted>.rds.amazonaws.com
MS_DB_PORT=1433
MS_DB_DATABASE=<redacted>
MS_DB_USERNAME=<redacted>
MS_DB_PASSWORD=<redacted>

BROADCAST_DRIVER=log
CACHE_DRIVER=database
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

AWS_ACCESS_KEY_ID=<redacted>
AWS_SECRET_ACCESS_KEY=<redacted>
AWS_DEFAULT_REGION=eu-west-3
AWS_BUCKET=<redacted>
AWS_URL=https://s3.eu-west-3.amazonaws.com/<redacted>

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

URL=<redacted>
RUN_COMMANDS_OFF=false

ROLLBAR_TOKEN=<redacted>
ROLLBAR_ENV=production
ROLLBAR_LEVEL=info

UPDATE_TIME=5

CRON_RUN=on

AKENEO_USER=datahq_production
AKENEO_PASS=<redacted>
AKENEO_URL=https://pim.vapehq.eu

ODOO_URL=http://<redacted>
ODOO_CLIENT=<redacted>
ODOO_SECRET=<redacted>


RUN_CRON=on
Found by DotEnvConfigPlugin 2021-08-06
Report created by zythop  2021-10-23
Report approved by BloodyShell  2021-10-23
New PDF report generated by system 2021-10-23
Report dispatched to ...@... by system 2021-10-23
Report edited by BloodyShell  2021-10-27
New PDF report generated by system 2021-10-27
Report dispatched to ...@... by system 2021-10-27
system commented 2021-11-03: approved shows in report

bip! I'm a LeakIX probe.

This issue looks like it has been resolved!

New PDF report generated by system 2021-11-03
Report comment dispatched to zythop by system 2021-11-03
Report comment dispatched to info@datahq.co.uk by system 2021-11-03
Report comment dispatched to abuse@combell.com by system 2021-11-03
Report marked as fixed by BloodyShell  2021-11-03
Report closed by BloodyShell  2021-11-03
New PDF report generated by system 2021-11-03
Report edited by BloodyShell  2021-11-03
New PDF report generated by system 2021-11-03
Information
Owner datahq.co.uk
Created 2021-10-23 11:04
Updated 2021-11-03 18:46
Fixed true

Contacts
i...@datahq.co.uk
a...@combell.com

Status
Status closed
Hosting contacted false
CERT contacted false

Download report