Do you think laravel website can be hacked?
Before I start writing, I would like to share this Reddit comment with you :
So, We’ll talk about a popular framework and I think most of the developers heard about it. it’s Laravel.
As we know, the creators of these frameworks wanted to make things more secure than before.
I had a client a few days ago, he requested me to maintain his web application and also build a new module for him, he was using Laravel, while I was trying to fix some issues, I’ve checked the .env file in order to see if the password of MySQL server is correct because I had some problems with the migration 😠 . by mistake I visited this link :
http://www.site.com/.env
Oops !! I could see the content of the environment file 😆
I know, I know … some people can make mistakes and forget to read the documentation of the framework very well ..
https://laravel.com/docs/5.6/configuration
I think it’s clear. No?
Anyways, this is not the point, we have a huge problem with the rest of the world. I have done some research and I found many websites are vulnerable to this type of attack.
75,000 results, It’s too much no? (Dork: hidden => to avoid any type of attack from untrusted readers ) .
So, I wanted to go so far and code a Google Scraper with python ❤, and my predictions were totally right, we’ve too much blood on the street 👌
The problem is , there are some big websites. they are using phpMyAdmin or even they allow remote access to their databases thru PORT 3306.
This is the structure of the .env file :
https://github.com/laravel/laravel/blob/master/.env.example
We’ve some serious information their guys. so now we’ll talk about hiding this gun 😆 .
this is a simple solution, just create a .htaccess file in local: and put this code inside:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>
And we’re done.
Don’t ask for the python tool ;) . just for the curious , when you try to see the HTTP response to check if the .env file is exist or no , you’ll getcode() = 403 (Forbidden) ,
req = Request(url)
add the header : headers={‘User-Agent’: ‘Mozilla/5.0’}
req = Request(url , headers={‘User-Agent’: ‘Mozilla/5.0’} )
Check my gigs on Fiverr : (I provide a full scan for your website)