H3-2022-0046¶

Rails Database Configuration File Exposure

Description¶

Ruby on Rails applications store database configuration information in a file named config/database.yml. By default it contains three configurations: production, development, and test. The information stored in this file is highly sensitive and should not be found in a production system.

Impact¶

Attackers can enumerate the host system and the ruby configuration viewing this file.

References¶

• Ruby On Rails Security Guide
• MITRE ATT&CK Technique: T1552.001: Unsecured Credentials: Credentials In Files