OCT 23 2015

Securing Magento Cacheleak, Backupleak and Sessionleak

Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. With such configuration web-server ignoring all or some .htaccess files shipped with Magento distribution or some directives from these files and therefor all private directories, including var/, var/backups/, var/cache/, var/session/ and so on are exposed to public, so it is possible for anyone get the list of backups or sessions and download it, extract data values from cache files and finally obtain full control over such Magento installation.


Originally, Magento was developed to work under Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various folders were placed in .htaccess files. As time passed, Magento was adopted by community to work with almost any web-servers, however most of these web-servers either ignore .htaccess files or require special modules to be loaded and people, who installing or configuring Magento, usually pay little or no attention to anything but fatal errors.

How to check if your web-server configuration is vulnerable

Simply open var/, var/cache/, var/session/, var/backups/ directories in your browser, by appending them to your domain: http://your-magento-front.end/var/ or http://your-magento-front.end/var/cache/. Ideally, you should see 403 Forbidden or 404 Not Found page. If vulnerable, you will see directory listing allowing you to browse and download anything you like, would it be cached passwords or backup with saved payment method of your customers.

What can be done to secure it

Ensure that .htaccess files are in place

Navigate to var/, var/cache/, var/session/, var/backups/ directories via FTP, SSH or any FileManager and ensure that there is .htaccess in each directory. You may need to enable your FTP or SSH client to show hidden files (as files startng with dot character are considered hidden). If files are not there, upload any missing files from original Magento distribution. The .htaccess file contains just two lines:
Order deny,allow
Deny from all

Ensure that your web-server honors all directives from .htaccess files

Submit request to your hosting support and request confirmation that web-server used can read and load configuration from all .htaccess files, including files under var/, var/cache/, var/session/, var/backups/ directories.

Embed all configuration directly into web-server config

If .htaccess files are not supported by web-server, request your hosting support to embed all configuration from .htaccess files directly into web-server config file.

Upload dummy index files to prevent directory listing

As a temporarily solution you can upload empty
index.php or index.html file into every such directory to prevent directory listing. It will force webserver to output content of index file (empty) rather than directory listing. To give a bit greater attribution you can even output 403 Forbidden in such dummy index.php file:
header('HTTP/1.0 403 Forbidden'); 
<title>403 Forbidden</title>
<p>You don't have permission to access this directory.
on this server.</p>

Some specific configuration examples for popular web-servers

Apache / Apache2
Works out of the box. If does not, then someone broke it. Ask your hosting support to add “AllowOverride All” directive into your web-server config for Magento root directory:
AllowOverride All
Ask your hosting support or server admin to deny access to /var/ location for all. Sample code to apply in nginx configuration file can be like the following:
location /var/ {
  return 403;
  deny all;
If you have some difficulties with implementing proper web-server configuration, please let us know in comments, so we can find solution together.

Posted in: Configuration

Securing Magento Cacheleak, Backupleak and Sessionleak
33 votes, 4.87 avg. rating (97% score)
  • Vicky Toshach

    What should be inside the .htaccess file? You have an example of what the index file should be, but not for .htaccess. I asked my host company to read this and what they did was install the index.php file. Is this enough?

    • magentary

      .htaccess file in var/ contains just two lines:
      Order deny,allow
      Deny from all

      Dummy index.php should be considered only as a temporarily solution, unlike .htaccess it does not block access to files if type the filename directly.