Please refer to this from the Zend Framework website Recommended Installation.
Read through the sections from the beginning and take a look at the folder structure proposed for a ZF application.
Now take a look at your magento install.
Where are the Zend Framework and the rest of the sensitive application files located? Do they follow this simple guideline from ZF website:
For security reasons, it is advisable to keep your application’s scripts in a directory that your web server does not make publicly accessible. In this case, index.php quickly hands over control to the bootstrap.php file, which resides in the more secure application directory
Seems like that isn’t the case.
So, is magento secure? Does it really follow industry standards for securing php applications?
Maybe most of the files aren’t really that important to secure in this manner. But what about the var/ folder and media/ folders? What about local.xml?
Thanks for the heads-up!
You’re right, that should be fixed. But you can do it yourself, just add a few rules to .htaccess.
Have you filed a bug already?
That does work but you also need to include the lib/ folder for that. Just moving app/ will give you errors where files can’t be found, and the ZF is located in lib/ anyhow.
So that’s cool, but just out of curiousity - It’s just been bugging me to have 0777 permissions required on var/ and media/ to operate magento ever since my first install.
I believe the media folder needs to be accessible over the www. That’s where all the product images etc are stored and they must be loaded via <img> tags. I’m not sure of the var directory, though.
Well, the requirements for 777 permissions only applies if the server is not running some kind of suEXEC/suPHP. If PHP scripts are executed under your own user, you only need 755 permissions on directories and 644 permissions on files which is much more secure.
Please refer to this from the Zend Framework website Recommended Installation.
Read through the sections from the beginning and take a look at the folder structure proposed for a ZF application.
Link results in Error. Where has the page been moved to?
Well, the requirements for 777 permissions only applies if the server is not running some kind of suEXEC/suPHP. If PHP scripts are executed under your own user, you only need 755 permissions on directories and 644 permissions on files which is much more secure.
This ^^
Which is why it is important when choosing a host that they are Magento compliant and/or setting up your own server/VPS that you install suEXEC/suPHP
I believe you can move the ‘app’ directory outside your www directory, then modify the path to app/Mage.php in your index.php.
What happens if you do that and then try to perform an upgrade via Magento Connect? Will it know where to find the app directory? I would be thrilled if I could get as much as possible out of the web accessible directory, I’m just unsure of the consequences.
