Bad .env hurts for the rest of life
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
Just wow! I wonder how many of these websites use a template service and just copy database connection code from lets say.. Q&A? ;P :laugh:
When you are dead, you won't even know that you are dead. It's a pain only felt by others. Same thing when you are stupid.
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
:wtf: Looks like something used in Node/React (based on a quick search as I've never heard of a .env file) similar to a web.config. I wonder if this is a problem with the technology or just a misconfigured webserver? Either way, look on the bright side, the developers appear to be using strong passwords! :laugh:
"Go forth into the source" - Neal Morse
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
-
:wtf: Looks like something used in Node/React (based on a quick search as I've never heard of a .env file) similar to a web.config. I wonder if this is a problem with the technology or just a misconfigured webserver? Either way, look on the bright side, the developers appear to be using strong passwords! :laugh:
"Go forth into the source" - Neal Morse
Well, you *can* use them in a Node project, if you go out of your way to do so. I think that Laravel (a PHP framework) uses them by default also. I suppose you could use them from any language or framework, if you really wanted to. It mostly looks like people making the mistake of putting their db credentials in a file and then leaving the file in a place that lets the web server send it out to anyone who asks for it. The whole thing seems a bit dumb since one of the reasons to store your production DB credentials in environment variables is so they won't be sitting in a file somewhere.
-
:wtf: Looks like something used in Node/React (based on a quick search as I've never heard of a .env file) similar to a web.config. I wonder if this is a problem with the technology or just a misconfigured webserver? Either way, look on the bright side, the developers appear to be using strong passwords! :laugh:
"Go forth into the source" - Neal Morse
-
This will be a heavy one. Feel free to troll... and check where do you store your password :wtf: db_password filetype:env inurl:com - Google Search[^]
Wow. Since I am database illiterate, what is wrong here ? That you can see the .env file from external or that the password is stored in there ?
-
kmoorevs wrote:
Either way, look on the bright side, the developers appear to be using strong passwords!
My favourite one is
DB_PASSWORD=murder4513. Quite strong and definitely capital, so to speak, rights? :laugh: -
Wow. Since I am database illiterate, what is wrong here ? That you can see the .env file from external or that the password is stored in there ?
Rage wrote:
That you can see the .env file from external or that the password is stored in there ?
Both of them. In normal situation you have two layers of security - first, the attacker has to access a private network and second -- he needs to login to a database. Here the second layer is gone. And if access to DB is NOT restricted to private network then... it's not good.