Retrieving the .env configuration file
The configuration file of your shop system is unprotected and enables attackers to enter the system.
Details:
- The configuration file contains the most essential settings that must be available before the database connection is established, including the access data to the database and the URL of the backend.
- Configuration data must be specially protected if it is located in a directory accessible from the web server, as is the case with Shopware 5.
- In a Composer installation of Shopware 5, the configuration file is located under the name
.env
in the root directory of the installation.
Solution: Prevent access to .env
.
It is mandatory that the configuration file exists in the specified location, so access to the file via the web server must be prevented. Depending on the active web server, access protection can be implemented as follows:.
Example: Apache
Shopware provides by default the file .htaccess
, which blocks access to the .env
file. This file has the following content, among others:
# Restrict access to root folder files
RedirectMatch 404 /(autoload\.php|composer\.(json|lock|phar)|README\.md|UPGRADE-(.*)\.md|CONTRIBUTING\.md|eula.*\.txt|\.gitignore|.*\.dist|\.env.*)$
- Compare the version of
.htaccess
from an original installation archive of your Shopware version with the file present in your installation to identify any missing entries. - Copy the newer and security relevant rules into the
.htaccess
file of your store installation.
You can't find the .htaccess
file?
If you do not see a file named .htaccess
anywhere in your store installation directory, this could be due to the settings of your FTP program. Because the filename .htaccess
starts with a dot, this file will only be visible if you have activated the display of hidden files.
Also when accessing via SSH you have to enable the display of hidden files, for example by adding the parameter -a
to the command ls
.
Example: NGINX
When using NGINX, the protection must be built into the configuration of the domain concerned. For this purpose, use our application template for Shopware, in which the protection of the .env
file is already integrated.
Alternatively, you can add the following line to the userdefined.conf
via the rule editor of the affected domain:
# block access to the .env file
location /\.env.* { return 403; }
Further recommended actions
- Also protect the directories of the version control systems Git and Subversion as well as the MacOS files
.DS_Store
from unauthorized access. - Protect folders with log files (for Shopware
var/log
) as well as configuration files. When using Apache this is normally already preset by the installation of your store system. - When using Apache, check in an existing
.htaccess
file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves.htaccess
files can be contained. - When using NGINX, use our application templates, which already protect many application-specific folders and files.