Env file detection in oripari.app
A case study.
Go Back
How ReconwithMe detected “.env” file in Oripari.app and helped prevent cyber attack
What is an Env file?
Environment Variable File (Env file) is a configuration text file that contains sensitive information like private keys, aws credentials, mail server details, database credentials and even secret keys.
What causes public disclosure of .env files?
Env files are often disclosed publicly because of improper access control given to the file. Some people do not store .env files in the root folder due to which it is publicly exposed.
What can happen if an attacker gets access to .env file?
Using this file an attacker can get access to the database, send email from their mail server, get access to aws services. In the worst case scenario, an attacker can even do a server takeover.
For example, in Oripari’s case, my sql database credentials were publicly available in the Env file. An attacker with wrong intention could use this credential to get access to the PhpMyAdmin dashboard and access the whole database. Using SMTP credential, an attacker could send email to anyone from all email addresses of the victim domain to anyone. Using aws keys an attacker can upload, update, download or remove files from the server.
Fig1: Database password disclosed in .env file of Oripari.app.
How ReconwithMe was able to detect the “.env” file in Oripari.app?
The Oripari development team was unaware of the public disclosure of the file until they used ReconwithMe, a web application vulnerability finder. Oripari’s development team purchased ReconwithMe’s subscription plan to scan for vulnerabilities and within seconds ReconwithMe was able to find that the Env file had been disclosed in the https://oripari.app website. The development team confirmed and patched the vulnerability.
Fig2: Oripari team finds “.env” file using Reconwithme.
How to avoid this sort of issue happening in future?
In order to avoid publicly disclosing .env files, make sure you give proper access control to the .env file. Also make sure the .env file is in the root directory.
This article was written after seeking permission from the Oripari team. ReconwithMe would like to thank the Oripari team for allowing us to cover a case study for the finding.