Retrieving the configuration file local.xml
The local.xml configuration file of your store system is unprotected and allows attackers to penetrate the system.
Details:
- The configuration file contains the most essential settings that must be available before the database connection is established, including the access data to the database and the URL of the backend.
- Configuration data must be specially protected if it is located in a directory accessible from the web server, as is the case with Magento 1.
- For Magento 1, the file can be found under the path
app/etc/local.xml
.
Solution: Prevent access to local.xml
.
It is mandatory that the configuration file exists in the specified location, so access to the file via the web server must be prevented. Depending on the active web server, access protection can be implemented as follows:
Example: Apache
Magento provides by default the file app/.htaccess
, which blocks access to the directory app
and all subdirectories and contained files. This file has the following content:
Order deny,allow
Deny from all
Other directories in your Magento installation that require protection usually also contain such a file (e.g. var
).
- Compare the version of
.htaccess
from an original installation archive of your Magento version with the file present in your installation to identify all missing entries. - Then copy the missing entries and
.htaccess
files to the designated place in your store installation directory.
You can't find the .htaccess
file?
If you do not see a file named .htaccess
anywhere in your store installation directory, this could be due to the settings of your FTP program. Because the filename .htaccess
starts with a dot, this file will only be visible if you have activated the display of hidden files.
Also when accessing via SSH you have to enable the display of hidden files, for example by adding the parameter -a
to the command ls
.
Example: NGINX
When using NGINX, the protection must be built into the configuration of the domain concerned. For this purpose, use our application templates for Magento 1, in which the protection of the app
directory and the local.xml
is already integrated.
Alternatively, you can add the following line to userdefined.conf
via the rule editor of the affected domain:
# block access to the "/app/" directory
location /app/ { return 403; }
Further recommended actions
- Protect also the directories of the version control systems Git and SVN as well as the MacOS files
.DS_Store
from unauthorized access - Protect folders with log files (for Magento
var/log
) as well as configuration files (for Magentoapp/etc
). When using Apache, this is usually already preset by the installation of your store system. - When using Apache, check in an existing
.htaccess
file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves.htaccess
files can be contained. - When using NGINX, use our application templates, which already protect many application-specific folders and files.