FirstBlood-#542 — Environment Files Exposed Publicly
This issue was discovered on FirstBlood v2
On 2021-10-26, mrrootsec Level 2 reported:
Hello Zseano, Hope you are doing well
Description:
On Firstblood V2 environment files are exposed publicly ,this lead to the access to files which should have been restricted.
Steps to Reproduce the issue :
-
Navigate to below URL's, Source code leakage
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/.gitignore
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635226658/y2dcb3jvtfkkcadixlq1.png)
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.lock
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635226656/p44sdfqalje6hgb7h2ck.png)
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/.gitattributes
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635226659/jf0nii17pxnzg1ywy0wa.png)
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.phar
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635226656/a2dfn4en36na2ocffnj5.png)
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/composer.json
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635227121/gk31slenrq7aasb8vw3w.png)
https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/vendor/composer/installed.json
Impact :
- Source Code Disclosure
- Sensitive Information Disclosure
Remediation / Fix:
- Restrict the access to the environment files
Thanks and Regards
MOHAMMAD SAQLAIN
P2 High
Endpoint: NA
Parameter: NA
Payload: NA
FirstBlood ID: 36
Vulnerability Type: Information leak/disclosure
It is possible to use the composer.json to aid with another vulnerability and gaining information/knowledge on versions used.