Context
The .env file is the file containing the secrets loaded from the source code in production or development environment.
Such file should never be deployed in production as it contains at least development secrets which are potentially reused in production.
Impacted Assets
Each asset concerned in the credentials of the .env file
Exploit or command to run
There is no command to run, .env file is usually located in https://web-server-path/.env.
Consequences
In the scenario the credentials grants access to the public code repository, confidentiality and integrity of source code can be compromised. Such files may also contain database connection credentials, this scenario combined with publicly exposed databasecan lead to direct impact on stored data.
Remediation
The only two solution is either to restrict access to the file modifying the server configuration file. Modifying the .htaccess as in the following code will restrict access to .env file:
# Deny access to .env
<Files .env>
Order allow,deny
Deny from all
</Files>
The other solution is to delete the deployed file as no .env file should deployed, wether its access is restricted or not.