## Vulnerability Details **CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root: ```yaml volumes: - "./:/var/www/html/AVideo" ``` This causes the `.env` file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at `/.env`. No `.htaccess` rule or Apache configuration blocks access to dotfiles. ### Exposed Information An unauthenticated request to `GET /.env` returns: ``` DB_MYSQL_HOST=database DB_MYSQL_USER=avideo DB_MYSQL_PASSWORD=avideo SYSTEM_ADMIN_PASSWORD=admin123 TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key NETWORK_SUBNET=172.30.0.0/16 ``` ## Steps to Reproduce ### Prerequisites - AVideo deployed using the official `docker-compose.yml` - No modifications to the default configuration ### Steps 1. Deploy AVideo using `docker compose up -d` 2. Send: `curl http://target/.env` 3. The full `.env` file contents are returned, including database credentials and admin password ## Impact - **Attacker**: Unauthenticated (any remote user) - **Victim**: AVideo server and database - **Specific damage**: Attacker obtains database credentials (`DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`), admin password (`SYSTEM_ADMIN_PASSWORD`), and internal network topology (`NETWORK_SUBNET`). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network. ## Proposed Fix Add a `.htaccess` rule to block access to dotfiles: ```apache # Block access to hidden files (.env, .git, etc.) <FilesMatch "^\."> Order Allow,Deny Deny from all </FilesMatch> ``` Or configure Apache to deny dotfile access in the virtual host configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free