Can Laravel be Hacked ?

Before I start writing , I would like to share this reddit comment with you :

So , We’ll talk about a popular framework and I think the most of the developers heard about it . it’s Laravel .

As we know , the creators of these frameworks wanted to make things more secure than before .

I had a client few days ago , he requested from me to maintain his web application and also build new module for him , he was using Laravel , while I was trying to fix some issues , I’ve checked the .env file in order to see if the password of mysql server is correct because I had some problems with the migration 😠 . by mistake I visited this link :

http://www.site.com/.env

Oups !! I could see the content of the environment file 😆

I know , I know … some people can make mistakes and forget to read the documentation of the framework very well ..

https://laravel.com/docs/5.6/configuration

I think it’s clear .. No ?

Anyways , this is not the point , we’ve a huge problem with the rest of world . I have done some research and I found many website are vulnerable to these type of attack .

75,000 results , It’s too much no ? (Dork : hidden => to avoid any type of attack from untrusted readers ) .

So , I wanted to go so far and code a Google Scraper with python ❤ , and my predictions were totally right , we’ve too much blood on the street 👌

The problem is ,there are some big websites . they are using phpMyAdmin or even they allow a remote access to their databases thru PORT 3306 .

This is the structure of the .env file :

https://github.com/laravel/laravel/blob/master/.env.example

We’ve some serious informations there guys . so now we’ll talk about hiding this gun 😆 .

this is a simple solution , just create .htaccess file in local : and put this code inside:

# Disable index view
Options -Indexes

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

And we’re done .

Don’t ask for the python tool ;) . just for the curious , when you try to see the HTTP response to check if the .env file is exist or no , you’ll getcode() = 403 (Forbidden) ,

req = Request(url)

add the header : headers={‘User-Agent’: ‘Mozilla/5.0’}

req = Request(url , headers={‘User-Agent’: ‘Mozilla/5.0’} )

Check my gigs on fiverr : (I provide a full scan for your website)

https://www.fiverr.com/bohrhadi

Follow me on linkedin :

https://www.linkedin.com/in/bohr/