Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

local.xml - security issue
 
matmin
Jr. Member
 
Total Posts:  3
Joined:  2009-03-04
 

how come there is no htaccess to prevent access to app/etc/local.xml?

i had to create htaccess file in app/etc folder, otherwise anyone could access to http://myserver/app/etc/local.xml, and read database passwords!

here is my solution to prevent accessing xml configuration files:

<FilesMatch “\.xml$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

matmin

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

They come up as 404 for more.

403 on this demo: http://store.aitoc.com/app/etc/config.xml

403 on this demo: http://ecommerce.aheadworks.com/demo/demo6/app/etc/local.xml

 
Magento Community Magento Community
Magento Community
Magento Community
 
Vincèn
Sr. Member
 
Avatar
Total Posts:  289
Joined:  2009-01-03
Grenoble, France
 

Here on my shop I get a forbidden if I try to access that file. It looks there is a misconfiguration somewhere on your webhost wink

Vincèn

 
Magento Community Magento Community
Magento Community
Magento Community
 
Damian Culotta
Enthusiast
 
Total Posts:  878
Joined:  2008-12-10
Argentina
 

The .htaccess on /app deny the access.

 
Magento Community Magento Community
Magento Community
Magento Community
 
nanos
Member
 
Total Posts:  35
Joined:  2009-08-06
London, UK
 

Hi!

I’m getting a bit mad at myself, right now:

I’ve got a .htaccess-file in the /app folder with the following content:

Order deny,allow
Deny from all

but I can still access the /app/etc/local.xml and other files in the /app folder.

Can anybody explain that to me? I just don’t understand it.

Thanks in advance!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Patek
Jr. Member
 
Total Posts:  3
Joined:  2009-10-06
 

Hi Nanos,
I have exactly the same issue as you.. did you find out how to fix it?
Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hello,

the .htaccess files are working on Apache webservers if the option “AllowOverride” doesn’t block the use of .htaccess files.
If your .htaccess files doesn’t work, please check your webserver configuration or ask your hoster.

For nginx servers please take a look into the nginx documentation about blocking access to directorys.

 
Magento Community Magento Community
Magento Community
Magento Community
 
qfmomen
Jr. Member
 
Total Posts:  3
Joined:  2009-12-22
 
thebod - 28 January 2012 01:23 PM

Hello,

the .htaccess files are working on Apache webservers if the option “AllowOverride” doesn’t block the use of .htaccess files.
If your .htaccess files doesn’t work, please check your webserver configuration or ask your hoster.

For nginx servers please take a look into the nginx documentation about blocking access to directorys.

I have installed on IIS and i can see app/etc/local.xml file in web browser? .htaccess is in the app folder and it says

Order deny,allow
Deny from all

Does this mean tha .htaccess is igonred when installation is done on IIS?

Is there any solution? keep in mind that the installation is done BY IIS.

 
Magento Community Magento Community
Magento Community
Magento Community
 
reg007
Jr. Member
 
Total Posts:  10
Joined:  2009-06-10
 

IIS ignores the .htaccess files

Just goto your app folder, create a new text document and rename it web.config (no.txt extension) and insert the following

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".xml" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>

Job done!

 
Magento Community Magento Community
Magento Community
Magento Community
 
shaun
Member
 
Avatar
Total Posts:  39
Joined:  2007-11-09
Todmorden, UK
 

While we’re at it, it’s still worrying that Magento’s installation procedure creates the local.xml file with world writeable permissions, ie. 777.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

You should be afraid of attackers who read that file - if they are able to write it, it is for sure too late wink

Even if 777 might not be the best attributes, it’s far more important that no one can read that file. Everyone who can is able to read the database, including all used credit card data, customer data, and so on…

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top