Magento Issue Tracking

Magento Issue Tracking http://www.magentocommerce.com/bug-tracking/ en MagentoCommerce Copyright {gmt_date format="%Y"} {gmt_date format="%Y-%m-%dT%H:%i:%s%Q"} View Issue #25199 / Security vulnerability in Get.php file allows disc http://www.magentocommerce.com/bug-tracking/issue?issue=10863 Posted: 2011-02-09 11:49:00
Category: Configuration
Version: 1.5.0.0-rc2
Priority: urgent
Status: closed
Reported By: Tom Robertshaw

There's a file called get.php in the root of a magento install. It's purpose seems to be related to loading media images, however it inadvertently allows for database access details to be accessed.

e.g. visiting http://max.local/magento1500/get.php/app/etc/local.xml shows the entire app/etc/local.xml therefore displaying the database login details and encryption key.

]]> RE: Security vulnerability in Get.php file allows disc #1 / Comment by Magento Team

Hell Tom,

We have confirmed this issue and we are already working on it.

Thank you.]]> RE: Security vulnerability in Get.php file allows disc #2 / Comment by Magento Team

Hello Tom Robertshaw,

This issue was fixed. Please check the latest Magento release at http://www.magentocommerce.com/download/

Thank you.]]>