Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Codeigniter - .env File Discovery" module is designed to detect the presence of a .env file in Codeigniter applications. Codeigniter is a popular PHP framework used for developing web applications. This module focuses on identifying potential misconfigurations related to the exposure of sensitive configuration files.
This module has a severity level of high, indicating that the discovery of a .env file could potentially lead to security vulnerabilities.
Author: emenalf
If a .env file is exposed, it may contain sensitive information such as database credentials, API keys, and other configuration settings. Unauthorized access to this file could lead to unauthorized access to the application's resources, data breaches, and other security risks.
The module sends HTTP requests to various paths commonly used for storing .env files, such as "/.env", "/.env.dev.local", "/.env.development.local", and others. It then applies matching conditions to determine if the file is present and if it contains specific patterns related to sensitive information.
For example, the module uses regular expressions to match patterns like "^APP_(NAME|ENV|KEY|DEBUG|URL|PASSWORD)" and "^DB_(HOST|PASSWORD|DATABASE)" within the .env file. If any of these patterns are found, it indicates the presence of sensitive configuration settings.
An example HTTP request sent by the module:
GET /.env
The module expects a response with a status code of 200, indicating that the .env file exists and is accessible.
By performing these checks, the module helps identify potential misconfigurations that could expose sensitive information in Codeigniter applications.