Hacked

It's not possible to tell since it already has been defaced. You probably would like to investigate from the logs and check if it's a web application attack or a network attack. Try the web logs and see if there's any suspicious request being made.

The site has not been securely deployed

try this http://vacancynepal.com/.env

I'm constantly banging on about this. You do not just dump your Laravel project in public web space ... some things MUST be private

Wow, this is a huge problem because of amateur developers in combination with shitty/amateur web hosts who set the FTP root to the document root. I'm actually surprised we haven't seen more of this as Laravel is growing in popularity..

Nice catch @Snapey ...

EDit

You gotta love the local env on production ☺

APP_ENV=local
APP_DEBUG=true

Holy fuck why would you make your .env file publicly available, i just tried a search on google for the filetype .env and people are doing this by the massess.

@JeffreyWay perhaps its an idea to make a video about security and explain a few no-no's like this?

@DirkZz nice idea, wow,. it's that easy to find these hackable websites.. most of them seem to be directory listings though..

Here's an example..

• http://kharidocar.com/ (.env)

PS. I emailed them about this.

Its really scary when you see stripe, paypal and mailchimp credentials amongst other things.

I was thinking that we needed a PR on the .htaccess file to specifically exclude .env, but in the majority of cases .htaccess is in the public folder.

Perhaps there should be one (a .htaccess) in the laravel root folder also that denies access to everything?

I also noticed that there are some that are other php frameworks so this is not exclusively a Laravel problem

@Snapey Good idea, it will look silly to the majority of people but there is also a huge group out there that would benefit from this.

I think that would be a good idea!

I can't help myself, I'm still searching and emailing people :D

Hello,

I don't know who installed your Laravel application, but I want to let you know that your website has been installed in an extremely insecure way with your passwords out in the open for anyone to see..

URL

I suggest you find someone more knowledgeable to fix the security issues around your website and also change the passwords.

I found your website invulnerability through a simple Google search and I wanted to let you know before it falls into harmful hands. 


​Best regards,​

Edit: I'm seeing a lot of these websites don't even change the environment and also they don't have a database password :(

Would be nice with a crawler to do this automatically,..

Just went through like 20 result pages of people who left .env exposed. Shocking. One could do a massive amount of damage with all that info....

@zachleigh indeed, a lot of them have their email passwords as well

I saw everything under the sun. Even Stripe info. Thats a huge problem. I wonder if any of them also have something like phpmyadmin hanging out in the open...

I noticed several with directory listings if you access the base domain.

Sometimes I think the improved frameworks make the entry level for 'web developer' too low.

Most of the sites are run by businesses that presumably thought they had found someone to do a nice looking job for them and are blissfully ignorant that there is an issue.

@Snapey

You're so on the point, I would say at least 80% of people on Laracasts don't know the first thing about programming or PHP (or at least they didn't know when they started with Laravel) and they would never have gotten into web development if it wasn't because of the low entry level.

Correct me If I'm wrong as I'd just started learning the Laravel Framework, the 'attack' happens because the author's friend failed to understand on how to correctly deploy the web application am i right, he was supposed to set the public folder as the Document Root?

@Zurik.Ludg that is correct. The public folder is supposed to be the only folder the public has access to because of security reasons.

@Zurik.Ludg that is correct, and if for some reason it isnt possible to change the root to "/public" you can also create a symlink from "/public_html" to "/public".

When that isn't possible either then I personally would find another host, but as a last resort you can also deny access to all sensitive files in the .htaccess file.

Don't forget the dot env file is optional, If and only if laravel has to be installed under webroot the configuration values can be put into the configuration files. That would make it harder to hack.

@Snapey has to remind people of the env file problen weekly it seems like. It's getting old. First page of documentation should have a big red warning about that env file. Really getting old.

What's the solution Now ?

@Hujjat to properly install, or if it has to go in webroot DO NOT USE THAT DANGEROUS dot env file, hard code in the configuration.

Taylor should change it to a env.php file for better security.

I put a fake .env file in my public directory to throw off attackers. Genius or what? :D

@Famine BRILLIANT! I would go further and actually create a route for '.env' that captures their IP address and spams them ;)

Just adding 2cents but wouldn't using Forge help the folks struggling with proper deployment of a Laravel app?

@RushVan yep, it would. Although many people just go for some cheap web hosting options with no knowledge of security, or common sense.

Another option is to put your laravel folder into the root of the shared server. after that, go to your public_html and do a symlink from the shared server public_html to your laravel public folder.

@Famine

It made me laugh. Make sure to put some complex password so it it's even more believable.

Couple of question then:

Why doesn't this get caught by the router? I tried this http://vacancynepal.com/.env on my application and it redirects to home.

I guess this is caught here:

Route::any('{query}',
    function() { return redirect('/home'); })
    ->where('query', '.*');

Why does it matter if you leave APP_ENV=local in? If you aren't using App::environment();?

Mick

@phpMick because what happens is people upload their entire project into public_html and then realise that they cannot access their site as site.com/ but instead they need to use site.com/public.

The thought is then ok, so I just need a htaccess file in the root folder that directs to /public/index.php

The problem is that most .htaccess scripts only redirect missing files so when you hit /home the web server thinks , oh, there is no 'home' file or folder so I will rewrite this request as if the user asked for index.php

This only works where there is no file. If the file exists, for instance .env then the rewrite module thinks it has nothing to do and serves up the .env file.

@Snapey Its a huge mistake done by the developer himself, I got it. But how can hacker change files even when they got the database credentials? First they have to get into the hosting account, isn't it?

@vtxmg well, shared-hosting is one. They use cluster db. Back in the days of pentesting. During reconnaisance, if I find the target to be using a shared hosting, and its' db credentials viewable by public; we would find a more vulnerable target within the cluster, dump a script, then access the target's db through the cluster's connection. That way, localhost is still localhost. Sometimes, it is worth the work and sweat to jump shells.