Environment Variable File (Env file) is a configuration text file that contains sensitive information like private keys, aws credentials, mail server details, database credentials and even secret keys.

Env files are often disclosed publicly because of improper access control given to the file. Some people do not store .env files in the root folder due to which it is publicly exposed.

Using this file an attacker can get access to the database, send email from their mail server, get access to aws services. In the worst case scenario, an attacker can even do a server takeover.

For example, in Oripari’s case, my sql database credentials were publicly available in the Env file. An attacker with wrong intention could use this credential to get access to the PhpMyAdmin dashboard and access the whole database. Using SMTP credential, an attacker could send email to anyone from all email addresses of the victim domain to anyone. Using aws keys an attacker can upload, update, download or remove files from the server.

The Oripari development team was unaware of the public disclosure of the file until they used ReconwithMe, a web application vulnerability finder. Oripari’s development team purchased ReconwithMe’s subscription plan to scan for vulnerabilities and within seconds ReconwithMe was able to find that the Env file had been disclosed in the https://oripari.app website. The development team confirmed and patched the vulnerability.

In order to avoid publicly disclosing .env files, make sure you give proper access control to the .env file. Also make sure the .env file is in the root directory.

This article was written after seeking permission from the Oripari team. ReconwithMe would like to thank the Oripari team for allowing us to cover a case study for the finding.