SMTP credentials getting exposed!

@Sinnbeck Thank you for the response. I think it is best if I don't share the url but yes I am using file upload on it. Validation only allows for images. What issue could arise from it?

And yes, I changed the password for smtp.

@shawon_kamal ok then hire a pen tester to find the security problem :)

My best idea is that you have some problem with your config of the site. But I don't know every single cve in my head. Or that your upload allows images with embedded Phar code and allows the user access to the output somehow. But these are just guesses based on no information

But perhaps concider using environment variables instead of an env file

@jlrdw Its not shared hosting. I am hosting it in AWS EC2, using apache and I am pointing to the public directory.

@shawon_kamal Still a .env file is not a secure file, it's meant for development. Somehow some credentials were read.

And even on AWS (just a server) laravel if not setup with the correct folder structure is insecure.

Did you read over the Deployment chapter.

Edit:

But of course setting debug to false on production was a good first step. Any credentials would need to be changed.

@jlrdw using .env file in production should not lead to any issues as long as it is not in a public facing folder.

@shawnveltman I worded it poorly. I meant even after turning of debug mode and changing my smtp credentials, it got exposed again. I know that because the SMTP provider shut it down due to spam being sent from the account. None of the spams are sent from my server.

@shawon_kamal You could also look at https://laracasts.com/series/laravel-security-through-examples a series right here on laracasts.