Full Disclosure mailing list archives

Bagisto: Insecure installation in sub-directories

From: devsecweb--- via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 29 Aug 2020 15:49:12 +0000

Vendor:
Bagisto (https://bagisto.com/)
Affected version:
All
Introduction:
        Bagisto is an open source shop system based on PHP and Laravel framework
        Vulnerability description:
Bagisto can be installed in sub-directories below the document root exposing the Laravel .env file which includes 
database and e-mail server credentials.

Proof:
There have been observed installations in the wild exposing the .env file like https://klingbakeshop.com/public/ 
(https://klingbakeshop.com/public/)

Solution:
The "public" directory must be configured as document root of the web server
Sent with PrivateMail

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Bagisto: Insecure installation in sub-directories devsecweb--- via Fulldisclosure (Sep 01)