Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

FYI Magento Users
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

Please refer to this from the Zend Framework website Recommended Installation.
Read through the sections from the beginning and take a look at the folder structure proposed for a ZF application.

Now take a look at your magento install.

Where are the Zend Framework and the rest of the sensitive application files located?  Do they follow this simple guideline from ZF website:

For security reasons, it is advisable to keep your application’s scripts in a directory that your web server does not make publicly accessible. In this case, index.php quickly hands over control to the bootstrap.php file, which resides in the more secure application directory

Seems like that isn’t the case.

So, is magento secure?  Does it really follow industry standards for securing php applications?

Maybe most of the files aren’t really that important to secure in this manner.  But what about the var/ folder and media/ folders?  What about local.xml?

 
Magento Community Magento Community
Magento Community
Magento Community
 
demonkoryu
Guru
 
Avatar
Total Posts:  328
Joined:  2008-11-26
Dortmund, Germany
 

Thanks for the heads-up!
You’re right, that should be fixed. But you can do it yourself, just add a few rules to .htaccess.
Have you filed a bug already?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

I don’t have much faith in the issue tracking. 

What other steps would you suggest?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

I believe you can move the ‘app’ directory outside your www directory, then modify the path to app/Mage.php in your index.php.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

That does work but you also need to include the lib/ folder for that.  Just moving app/ will give you errors where files can’t be found, and the ZF is located in lib/ anyhow.

So that’s cool, but just out of curiousity - It’s just been bugging me to have 0777 permissions required on var/ and media/ to operate magento ever since my first install.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

I believe the media folder needs to be accessible over the www. That’s where all the product images etc are stored and they must be loaded via <img> tags. I’m not sure of the var directory, though.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

Your right, media needs to be available.  And in order to add pictures to products it needs to be CHMOD 0777.  So how is it in any way secure?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

Well, the requirements for 777 permissions only applies if the server is not running some kind of suEXEC/suPHP. If PHP scripts are executed under your own user, you only need 755 permissions on directories and 644 permissions on files which is much more secure.

 
Magento Community Magento Community
Magento Community
Magento Community
 
chiefair
Mentor
 
Avatar
Total Posts:  1848
Joined:  2009-06-04
 
Periculi - 24 April 2009 11:22 PM

Please refer to this from the Zend Framework website Recommended Installation.
Read through the sections from the beginning and take a look at the folder structure proposed for a ZF application.

Link results in Error. Where has the page been moved to?

 
Magento Community Magento Community
Magento Community
Magento Community
 
CT Schubert
Sr. Member
 
Avatar
Total Posts:  197
Joined:  2008-10-08
Southern California
 
Sindre|ProperHost - 25 April 2009 10:06 AM

Well, the requirements for 777 permissions only applies if the server is not running some kind of suEXEC/suPHP. If PHP scripts are executed under your own user, you only need 755 permissions on directories and 644 permissions on files which is much more secure.

This ^^

Which is why it is important when choosing a host that they are Magento compliant and/or setting up your own server/VPS that you install suEXEC/suPHP

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 
Sindre|ProperHost - 25 April 2009 03:41 AM

I believe you can move the ‘app’ directory outside your www directory, then modify the path to app/Mage.php in your index.php.

What happens if you do that and then try to perform an upgrade via Magento Connect?  Will it know where to find the app directory?  I would be thrilled if I could get as much as possible out of the web accessible directory, I’m just unsure of the consequences.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top