image

Retrieving the configuration file local.xml

The local.xml configuration file of your store system is unprotected and allows attackers to penetrate the system.

Details:

  • The configuration file contains the most essential settings that must be available before the database connection is established, including the access data to the database and the URL of the backend.
  • Configuration data must be specially protected if it is located in a directory accessible from the web server, as is the case with Magento 1.
  • For Magento 1, the file can be found under the path app/etc/local.xml.

Solution: Prevent access to local.xml.

It is mandatory that the configuration file exists in the specified location, so access to the file via the web server must be prevented. Depending on the active web server, access protection can be implemented as follows:

Example: Apache

Magento provides by default the file app/.htaccess, which blocks access to the directory app and all subdirectories and contained files. This file has the following content:

Order deny,allow
Deny from all

Other directories in your Magento installation that require protection usually also contain such a file (e.g. var).

  • Compare the version of .htaccess from an original installation archive of your Magento version with the file present in your installation to identify all missing entries.
  • Then copy the missing entries and .htaccess files to the designated place in your store installation directory.
You can't find the .htaccess file?

If you do not see a file named .htaccess anywhere in your store installation directory, this could be due to the settings of your FTP program. Because the filename .htaccess starts with a dot, this file will only be visible if you have activated the display of hidden files.
Also when accessing via SSH you have to enable the display of hidden files, for example by adding the parameter -a to the command ls.

Example: NGINX

When using NGINX, the protection must be built into the configuration of the domain concerned. For this purpose, use our application templates for Magento 1, in which the protection of the app directory and the local.xml is already integrated.

Alternatively, you can add the following line to userdefined.conf via the rule editor of the affected domain:

# block access to the "/app/" directory
location /app/ { return 403; }
Further recommended actions
  • Protect also the directories of the version control systems Git and SVN as well as the MacOS files .DS_Store from unauthorized access
  • Protect folders with log files (for Magento var/log) as well as configuration files (for Magento app/etc). When using Apache, this is usually already preset by the installation of your store system.
  • When using Apache, check in an existing .htaccess file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves .htaccess files can be contained.
  • When using NGINX, use our application templates, which already protect many application-specific folders and files.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
image
image