We scanned over 2.6 million domains for exposed .env files. During this scan we found 201 .env files. Besides harmless configuration settings we found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal), 98 secret tokens for different APIs and 128 app secrets (secrets to securely generate session ids, CSRF-tokens and JWT-tokens) and a few hard coded admin credentials. Exposed .env files are a huge security risk, because the content of these files is not encrypted.
Every software requires some configuration and has various settings. In the case of user software, such as a mail client, these settings, like email address, username and password, are requested from the user the first time the software is started. For software that runs on a server and is often installed automatically, user interaction is not possible. For some software frameworks, these settings can be specified via environment variables and configured in a file with the name .env.
Example of an .env file:
ENV="PRODUCTION" LOG_LEVEL="INFO" SMTP_HOST="email.example.com" SMTP_PORT= 25 SMTP_USER="email@example.com" SMTP_PASS="SuperSecurePassword2022" SMTP_TLS=1 SMTP_CONNECTION_TIMEOUT_SECONDS=2 DB_HOST="dbserver.example.com" DB_DATABASE_NAME="important_database" DB_USER="my-app-db-user" DB_PASSWORD="2022SuperVerySecurePassword" PAYMENT_GATEWAY="payment.example.com" PAYMENT_SECRET= "super-secure-payment-api-secret"
Note: We recommend more secure passwords than the ones mentioned in the examples above.
Since almost every web application accesses a database or uses some APIs to communicate with, these credentials must be passed to the application. If this is done using the .env file, the credentials are in plain text in this file. When the web server is misconfigured and this .env file is delivered by the web server, anyone can query this data. To do this, one can visit just a URL with a browser, such as: https://example.com/.env.
The dangerous aspect is that the passwords and secrets are in unencrypted form in the .env file.
We scanned ~2.6 million domains for exposed .env files (only the file name .env, not .env.prod or similar)
Check if your webserver blocks the delivery of the .env files
You can do this with nuclei for yourself or use a service like this one, which scans your domains regularly for several issues.