Broken Object Property Level Authorization in Laravel [CVE-2017-16894]

CVE-2017-16894 concerns Laravel up to version 5.5.21 where the environment file (.env) could be exposed via web requests. The writeNewEnvironmentFileWith routine in src/Illuminate/Foundation/Console/KeyGenerateCommand.php uses PHP's file_put_contents to write to .env without restricting the resulting file's permissions, and the .env file itself is not exclusive to Laravel. This leads to information disclosure (CWE-200) where an attacker can obtain sensitive data such as APP_KEY, database credentials, and other secrets if the file is accessible or misconfigured on the server. The vulnerability stems from insecure defaults and insufficient access control around environment data, making it possible for an attacker to read secrets that should be protected from public access. Exploitation occurs when an attacker can directly request the .env file (for example, via GET /.env) or when the web server is misconfigured to serve hidden dotfiles. If the server exposes .env or if file permissions are too permissive, the attacker can retrieve credentials and other secrets, enabling further compromise such as database access or lateral movement. This CVE demonstrates a failure of proper object-level/authorization controls over environment data transfers and file handling, allowed by the combination of writing the environment file and not enforcing strict access to that file. Remediation involves securing the environment data at rest and in transit in Laravel deployments. Ensure the web server denies access to dotfiles, move or isolate .env from publicly served directories, and apply strict permissions on the file after creation. Update any code paths that write to .env to set restrictive permissions (e.g., 0600) and consider handling environment keys through deployment processes that do not expose secrets via web-accessible paths. Additionally, review server configuration to avoid serving hidden files and ensure the public web root points to Laravel's public directory.