Laravel is one of the most popular PHP frameworks. Lots of packages are available to enhance the Laravel framework and customize their project. Due to the wide popularity of Laravel risk is also high, recently users found their config file publically available and indexed by Google.
.env file located at the root of Laravel project stores all important information and credentials like database password, email configurations and other env variables.
Detail of .env vulnerability
In this vulnerability, improper permission to config file allows access to env file. Even google also succeeded to fetch and index env file, this cause listing of database username, password and database name publically. You can search
db_password filetype:env in google to understand effect of this vulnerability.
Check Your Site
You can check this to your site if it is affected with this or not by just opening env file path. if example.com is the root of your laravel project you can check via opening http://example.com/.env in the browser if you see any error means your site is safe from .env vulnerability
Solution via Permission
The best solution is to set the proper permission of the env file, you can do this from the file manager and also via SSH. You should attempt 400 for env file. If you face any issue you can switch to 440. To change permission via CPanle, open file manager -> go to .env file -> right click -> select “Permission” and set 440 or 400 . You can also set permission via SSH
chmod 440 public_html/.env replace public_html with your env file path with reference to your current path of SSH.
Solution via .htaccess
HTACCESS contains superpower, though you can set env file permission but blocking that file via htaccess is very useful. You can add following code at the bottom of htaccess to deny all from accessing env file.
deny Deny from all
This is very useful when you are having multiple laravel application on one server.
Laravel is still powerful but the great power comes with great responsibility rule is applicable here, as a developer we have to avoid such mistakes and keep the web safe. At MR Cloud Hosting we provide cheap laravel hosting please have a look. If you have any other solution feel free to share with us via comment.
MR Cloud Hosting
12 Nov, 2018