Email smtp credentials keep getting compromised every now and then (laravel 7)

security hacking laravel smtp

Solution 1:

Are you using nginx? I had the same issue. Following the tip of @PetrChloupek, I analysed the access logs (/var/log/nginx/access.log) and found out that sometimes an agent could get a 200 out of "/.env". It turned out that the configuration of the nginx was so that when using just the ip (v.g. 12.244.21.21 instead of "mywebsite.com") the malicious agent hitted the /var/www/html and not the public folder, as specified in the nginx conf file, since this dealt only with the specified host (v.g."mywebsite.com").

Solution 2:

There is a known issue with developers leaving APP_DEBUG = true on live systems, this means you can trigger a debug page output that contains the .env keys and values.

https://www.mailgun.com/blog/a-word-of-caution-for-laravel-developers/

An easy way to trigger the issue, if vulnerable, is make an unsupported request, e.g. a POST / PUT request to a known GET route such as the site index '/', this will in cases where DEBUG is set to true output all the envrionment variables.

Related

Login to https site from Windows without specifying domain
Migrate windows guests from VirtualBox to KVM without re-activation?
How to get PHP mysql_ extension for linux chroot jail?
Roots of unity over finite fields
if $G$ only has one subgroup of order $p$ and one subgroup of order $q$, then $G$ is a cyclic group
Is a minimal Gröbner Basis a minimal system of generators?
Expected value of order statistics from uniform distribution
Maximize a function involving binary entropy
Showing that an involution of the projective line with a fixed point fixes exactly two points
Complex limit involving roots of unity
Why is $\sin\left[\arctan\left(\frac{x}{a}\right)\right] = \frac{x}{a\sqrt{\frac{x^2}{a^2} + 1}}$ true? [closed]
When to neglect the negative value of a square root?