Description

AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration

Vulnerability Details

CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:

volumes:
  - "./:/var/www/html/AVideo"

This causes the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.

Exposed Information

An unauthenticated request to GET /.env returns:

DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16

Steps to Reproduce

Prerequisites

AVideo deployed using the official docker-compose.yml

No modifications to the default configuration

Steps

Deploy AVideo using docker compose up -d

Send: curl http://target/.env

The full .env file contents are returned, including database credentials and admin password

Impact

Attacker: Unauthenticated (any remote user)

Victim: AVideo server and database

Specific damage: Attacker obtains database credentials (DB_MYSQL_USER, DB_MYSQL_PASSWORD), admin password (SYSTEM_ADMIN_PASSWORD), and internal network topology (NETWORK_SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Proposed Fix

Add a .htaccess rule to block access to dotfiles:

# Block access to hidden files (.env, .git, etc.)
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Or configure Apache to deny dotfile access in the virtual host configuration.

Mitigation

Aliases

References