Support (24/7/365)
Consulting (Mon-Fri, 9-18 h)
DEEN
Try demoConfigure hosting
image

Retrieving the .env configuration file

The configuration file of your shop system is unprotected and enables attackers to enter the system.

Details:

  • The configuration file contains the most essential settings that must be available before the database connection is established, including the access data to the database and the URL of the backend.
  • Configuration data must be specially protected if it is located in a directory accessible from the web server, as is the case with Shopware 5.
  • In a Composer installation of Shopware 5, the configuration file is located under the name .env in the root directory of the installation.

Solution: Prevent access to .env.

It is mandatory that the configuration file exists in the specified location, so access to the file via the web server must be prevented. Depending on the active web server, access protection can be implemented as follows:.

Example: Apache

Shopware provides by default the file .htaccess, which blocks access to the .env file. This file has the following content, among others:

# Restrict access to root folder files
RedirectMatch 404 /(autoload\.php|composer\.(json|lock|phar)|README\.md|UPGRADE-(.*)\.md|CONTRIBUTING\.md|eula.*\.txt|\.gitignore|.*\.dist|\.env.*)$
  • Compare the version of .htaccess from an original installation archive of your Shopware version with the file present in your installation to identify any missing entries.
  • Copy the newer and security relevant rules into the .htaccess file of your store installation.
You can't find the .htaccess file?

If you do not see a file named .htaccess anywhere in your store installation directory, this could be due to the settings of your FTP program. Because the filename .htaccess starts with a dot, this file will only be visible if you have activated the display of hidden files.
Also when accessing via SSH you have to enable the display of hidden files, for example by adding the parameter -a to the command ls.

Example: NGINX

When using NGINX, the protection must be built into the configuration of the domain concerned. For this purpose, use our application template for Shopware, in which the protection of the .env file is already integrated.

Alternatively, you can add the following line to the userdefined.conf via the rule editor of the affected domain:

# block access to the .env file
location /\.env.* { return 403; }
Further recommended actions
  • Also protect the directories of the version control systems Git and Subversion as well as the MacOS files .DS_Store from unauthorized access.
  • Protect folders with log files (for Shopware var/log) as well as configuration files. When using Apache this is normally already preset by the installation of your store system.
  • When using Apache, check in an existing .htaccess file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves .htaccess files can be contained.
  • When using NGINX, use our application templates, which already protect many application-specific folders and files.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
Call now
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
Call now
image
image