I might still try the “get the website to leak the secret or gain access to the server” option
• from 21fe8af59374b868
Go ahead! I don't think there are any vulnerabilities that'd let you get the PHP source, but do let me know if you find one. The actually important stuff (database credentials) is stored in environment variables, so I'm not too worried about people poking around. Just, like, be a good Netizen, don't do anything harmful.