Magento Security Issue

R

Robson

Guest
#1
Your web server is configured incorrectly. As a result, configuration files with sensitive information are accessible from the outside. Please contact your hosting provider.

So, if i access domain.com/app/etc/local.xml file open and show all information (admin url, database...)
This happens with any xml in any directory

I already applied the fix permission and set up the user group nobody: root
 
R

Robson

Guest
#3
Thanks, I'm using OLS as a proxy for Apache, the results are almost the same, with losses of a few tenths of seconds.
 
R

Robson

Guest
#4
Matbe cant fix it on OLS

htaccess file doesn’t exist
For sure, if htaccess file does not exist, there is no restriction on who can read the local.xml file, and so, the security warning is displayed
 
#5
if php page is served by OLS directly, the way is to add a static Context to deny access to a particular URL.
Virtual Host->Context->Add->Type:Static->
URL:/app/
Location: ./app
Accessible:No

all access to domain.com/app/* will return 403 Forbidden

if using OLS as a proxy for Apache, then
<Location /app>
Order deny,allow
Deny from all
</Location>

in apache's httpd.conf or
Order deny,allow
Deny from all
in app/.htaccess
should work as the blog addressed.
 
R

Robson

Guest
#6
Hello, thank you for your interest in helping, really, really appreciated your response!

Very interesting, in that case, will prohibit access only by those who try to navigate to the file determined correct? But the magento installation will have no problems with it right?

I'm using OLS + Open Panel, I'm enjoying it very much, For Open Panel, an installation magento default loading in less than 1 second, using OLS only, the load time was 0.7 seconds, and TTFB A with 200 miliseconds,

In-treating is magento, the result is sensational, I'm thinking about saying goodbye to Nginx :cry: :D
 
Top