[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Bagisto: Insecure installation in sub-directories

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Bagisto: Insecure installation in sub-directories
From: devsecweb--- via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Sat, 29 Aug 2020 15:49:12 +0000

Vendor:
Bagisto (https://bagisto.com/)
Affected version:
All
Introduction:
        Bagisto is an open source shop system based on PHP and Laravel framework
        Vulnerability description:
Bagisto can be installed in sub-directories below the document root exposing 
the Laravel .env file which includes database and e-mail server credentials.

Proof:
There have been observed installations in the wild exposing the .env file like 
https://klingbakeshop.com/public/ (https://klingbakeshop.com/public/)

Solution:
The "public" directory must be configured as document root of the web server
Sent with PrivateMail

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Next by Date: [FD] Bagisto: Default credentials for admin interface
Next by thread: [FD] Bagisto: Default credentials for admin interface
Index(es):
- Date
- Thread