.htaccess files shipped with Magento distribution or some directives from these files and therefor all private directories, including var/, var/backups/, var/cache/, var/session/ and so on are exposed to public, so it is possible for anyone get the list of backups or sessions and download it, extract data values from cache files and finally obtain full control over such Magento installation.
Why?
Originally, Magento was developed to work under Apache web-server which natively works with.htaccess files, so all needed configuration directives specific for various folders were placed in .htaccess files. As time passed, Magento was adopted by community to work with almost any web-servers, however most of these web-servers either ignore .htaccess files or require special modules to be loaded and people, who installing or configuring Magento, usually pay little or no attention to anything but fatal errors.
How to check if your web-server configuration is vulnerable
Simply open var/, var/cache/, var/session/, var/backups/ directories in your browser, by appending them to your domain:http://your-magento-front.end/var/ or http://your-magento-front.end/var/cache/.
Ideally, you should see 403 Forbidden or 404 Not Found page. If vulnerable, you will see directory listing allowing you to browse and download anything you like, would it be cached passwords or backup with saved payment method of your customers.
What can be done to secure it
Ensure that .htaccess files are in place
Navigate to var/, var/cache/, var/session/, var/backups/ directories via FTP, SSH or any FileManager and ensure that there is.htaccess in each directory. You may need to enable your FTP or SSH client to show hidden files (as files startng with dot character are considered hidden). If files are not there, upload any missing files from original Magento distribution. The .htaccess file contains just two lines:
Order deny,allow Deny from all
Ensure that your web-server honors all directives from .htaccess files
Submit request to your hosting support and request confirmation that web-server used can read and load configuration from all.htaccess files, including files under var/, var/cache/, var/session/, var/backups/ directories.
Embed all configuration directly into web-server config
If.htaccess files are not supported by web-server, request your hosting support to embed all configuration from .htaccess files directly into web-server config file.
Upload dummy index files to prevent directory listing
As a temporarily solution you can upload empty index.php or index.html file into every such directory to prevent directory listing. It will force webserver to output content of index file (empty) rather than directory listing. To give a bit greater attribution you can even output 403 Forbidden in such dummy index.php file:
<?php
header('HTTP/1.0 403 Forbidden');
?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this directory.
on this server.</p>
</body></html>
Some specific configuration examples for popular web-servers
Apache / Apache2
Works out of the box. If does not, then someone broke it. Ask your hosting support to add “AllowOverride All” directive into your web-server config for Magento root directory:AllowOverride All
nginx
Ask your hosting support or server admin to deny access to /var/ location for all. Sample code to apply in nginx configuration file can be like the following:
location /var/ {
return 403;
deny all;
}
If you have some difficulties with implementing proper web-server configuration, please let us know in comments, so we can find solution together.Posted in: Configuration