How ReconwithMe detected “.env” file in Oripari.app and helped prevent
What is an Env file?
Environment Variable File (Env file) is a configuration text file that
contains sensitive information like private keys, aws credentials,
mail server details, database credentials and even secret keys.
What causes public disclosure of .env files?
Env files are often disclosed publicly because of improper access
control given to the file. Some people do not store .env files in the
root folder due to which it is publicly exposed.
What can happen if an attacker gets access to .env file?
Using this file an attacker can get access to the database, send email
from their mail server, get access to aws services. In the worst case
scenario, an attacker can even do a server takeover.
For example, in Oripari’s case, my sql database credentials were
publicly available in the Env file. An attacker with wrong intention
could use this credential to get access to the PhpMyAdmin dashboard
and access the whole database. Using SMTP credential, an attacker
could send email to anyone from all email addresses of the victim
domain to anyone. Using aws keys an attacker can upload, update,
download or remove files from the server.
Fig1: Database password disclosed in .env file of Oripari.app.
How ReconwithMe was able to detect the “.env” file in Oripari.app?
The Oripari development team was unaware of the public disclosure of
the file until they used ReconwithMe, a web application vulnerability
finder. Oripari’s development team purchased ReconwithMe’s
subscription plan to scan for vulnerabilities and within seconds
ReconwithMe was able to find that the Env file had been disclosed in
the https://oripari.app website. The development team confirmed and
patched the vulnerability.
Fig2: Oripari team finds “.env” file using Reconwithme.
How to avoid this sort of issue happening in future?
In order to avoid publicly disclosing .env files, make sure you give
proper access control to the .env file. Also make sure the .env file
is in the root directory.
This article was written after seeking permission from the Oripari
team. ReconwithMe would like to thank the Oripari team for allowing us
to cover a case study for the finding.