Vulnerability Details CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official "docker-compose.yml" (line 61) mounts the entire project root directory as the Apache document root: volumes: - "./:/var/www/html/AVideo" This causes the ".env" file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at "/.env". No ".htaccess" rule or Apache configuration blocks access to dotfiles. Exposed Information An unauthenticated request to "GET /.env" returns: DB_MYSQL_HOST=database DB_MYSQL_USER=avideo DB_MYSQL_PASSWORD=avideo SYSTEM_ADMIN_PASSWORD=admin123 TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key NETWORK_SUBNET=172.30.0.0/16 Steps to Reproduce Prerequisites - AVideo deployed using the official "docker-compose.yml" - No modifications to the default configuration Steps 1. Deploy AVideo using "docker compose up -d" 2. Send: "curl http://target/.env" 3. The full ".env" file contents are returned, including database credentials and admin password Impact - Attacker: Unauthenticated (any remote user) - Victim: AVideo server and database - Specific damage: Attacker obtains database credentials ("DB_MYSQL_USER", "DB_MYSQL_PASSWORD"), admin password ("SYSTEM_ADMIN_PASSWORD"), and internal network topology ("NETWORK_SUBNET"). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network. Proposed Fix Add a ".htaccess" rule to block access to dotfiles: Block access to hidden files (.env, .git, etc.) <FilesMatch "^."> Order Allow,Deny Deny from all </FilesMatch> Or configure Apache to deny dotfile access in the virtual host configuration.