Magento Config Disclosure

By
Febna V M
Published on
20 Dec 2021
Vulnerability

Description

Magento’s configuration is saved in the file local.xml, which is located in the webroot under app/etc/local.xml. Because it is an xml file, a web server will not parse it and will instead expose it to users directly. Magento prevents this by including an .htaccess file that restricts access to that directory. However, this isn’t enough protection. .htaccess files are specific to the Apache web server. .htaccess is not supported by other web servers, such as nginx. This leaves users in the scenario where any web server other than Apache will default to a setup that allows anyone to download the local.xml file over the Internet.

Mitigation measures

Set the permissions on app/etc/local.xml or /store/app/etc/local.xml in your web server configuration.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.