Blog: Data leak in a Laravel PHP application

Intro / TLDR;

We scanned over 2.6 million domains for exposed .env files. During this scan we found 201 .env files. Besides harmless configuration settings we found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal), 98 secret tokens for different APIs and 128 app secrets (secrets to securely generate session ids, CSRF-tokens and JWT-tokens) and a few hard coded admin credentials. Exposed .env files are a huge security risk, because the content of these files is not encrypted.

In ~10% of the configuration files we saw the debug mode was on. We assume that there are many more Laravel applications out there with debug mode on.

Mistake 1: Run in debug mode in production

If you run a Laravel application in debug mode on a production system, an attacker can produce an error. In debug mode Laravel will provide a detailed error message with a stack trace leading to the error. In this debug data sensitive information can be leaked. Alwas set the APP_DEBUG configuration variable to false if you deploy your Laravel application to production.

Mistake 2: Exposed .env file

Laravel used environment variables for its configuration, like database user and password. If the .env file is accessible over the internet an attacker can read all the data in this file and can get access to a database. We also found API secrets, Office 365 admin accounts and live payment provider credentials (Stripe and Paypal) exposed in .env files.

Take away

Check if your Laravel application has APP_DEBUG set to false on the production server

You can protect yourself from accidentally make the .env files public by scanning your systems with nuclei a corresponding template, or you can use a service like this to automate the scan for all your subdomains.

register now