FirstBlood-#542Environment Files Exposed Publicly
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, mrrootsec Level 2 reported:

Hello Zseano, Hope you are doing well

Description:

On Firstblood V2 environment files are exposed publicly ,this lead to the access to files which should have been restricted.

Steps to Reproduce the issue :

  1. Navigate to below URL's, Source code leakage

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/.gitignore

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.lock

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/.gitattributes

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.phar

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.json

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/vendor/composer/installed.json

Impact :

  1. Source Code Disclosure
  2. Sensitive Information Disclosure

Remediation / Fix:

  1. Restrict the access to the environment files

Thanks and Regards

MOHAMMAD SAQLAIN

P2 High

Endpoint: NA

Parameter: NA

Payload: NA


FirstBlood ID: 36
Vulnerability Type: Information leak/disclosure

It is possible to use the composer.json to aid with another vulnerability and gaining information/knowledge on versions used.