Quit using .ENV files

How to hack a site using Google only.

Published on October 20, 2018

News and Updates

Public Facing .ENV Files are Bad

If you don't know what an .ENV file is, then here's an eye opener for you: .ENV files are the preferred, and most preached, way of holding sensitive PHP application data such as user database credentials and other secretive key value configuration pairs. It is the default method of configuring most out of the box Laravel applications. Laravel is the most popular (currently) PHP frameworks available. Of course, a well configured Apache web server can prevent direct access to these kinds of files, but that hasn't kept, and most likely won't keep, people from deploying insecure web apps with exposed, public facing, configuration data. Not just any configuration data, possibly yours. Did I mention these are just plain text files which render beautifully in a browser? Not only that, they are easily parsed using a Python or PHP scraper. All someone has to do is troll Google search results with an automated bot, visit each link, parse it, and grab your DB credentials and URI and move out.

Not convinced, do a google search for: "filetype:env DB_USERNAME" and just watch all those credentials start flowing in from .env files that were indexed by Google. Want to to talk about easy access? This has been a long-time hacker go to for selling access to your server. If your website is in that list, it might be time to start asking some serious questions of your developer.

What's the Fix

A simple way to counter this is to place configuration data in PHP files since they are, by default, not rendered as plain text in a user's browser. Some might disagree since they still hold sensitive data, but honestly if someone can see your unprocessed PHP code, they already have access to your server. This is a whole other problem which should be addressed separately. It is one of those balancing acts we have to make when we open up a portion of our business operations to the web. The best you can do is encrypt your configuration data while it is at rest and build in en/decryption functionality in your web application to do the opening and closing on the fly. It might slow down your request time, but it will definitely beat placing configuration in plain text formats like .ENV or .json.

Related Articles


Related Tags