izrake
commented
3 years ago @rekpero is this handled now? @pager5Cx415Cx415Cx69 can you please drop us your public ethereum wallet address
Open pager5Cx415Cx415Cx69 opened 3 years ago
izrake
commented
3 years ago @rekpero is this handled now? @pager5Cx415Cx415Cx69 can you please drop us your public ethereum wallet address
rekpero
commented
3 years ago yup
pager5Cx415Cx415Cx69
commented
3 years ago 0x8dcb03cca664c4d279702dfc3c5510ccd0c2ed8a
Severity: Informative (Low)
Summary Disclosing db_name, Internal Paths and Ports vai agroapp-live GitHub on older Commits.
Scenario (Impact) Note: This doesn't have any direct impact. But of the attacker gain the privilege in the internal network. Then he does not have to do directory brutefore or ports scanning. Also the database name no need to use Sub string query for guessing the Database name (agro_db)
Some of the paths are: MONGODB_URI=mongodb+srv://rekpero:rekpero@migration-test.mbbk8.mongodb.net/ MONGODB_DB_MAIN=argo
Path: Deploy Port: 5000 DEPLOYER_API_HOST_ADDRESS=http://localhost:5000/deploy/
Path: Payments Port: 3001 PAYMENT_API_HOST_ADDRESS=http://localhost:3001/payments
MONGODB_URI: process.env.MONGODB_URI || "mongodb://localhost:27017/", MONGODB_DB_MAIN: process.env.MONGODB_DB_MAIN || "argo_db",
PORT: +process.env.REDIS_PORT || 6379,
process.env.DEPLOYER_API_HOST_ADDRESS || "http://localhost:5000",
process.env.PAYMENT_API_HOST_ADDRESS || "http://localhost:3001",
process.env.FRONTEND_APP_HOST_ADDRESS || "http://localhost:3000",
Links These are on the older commits. https://github.com/argoapp-live/argo-api/blob/28e79203299f5554eb866578681b052a5817a0cf/env.example https://github.com/argoapp-live/argo-api/blob/a6e128fc410549fe69d6b7115e26119fa4839e98/src/config/env/index.ts
Thanks