Magento’s configuration is saved in the file local.xml, which is located in the webroot under app/etc/local.xml
. Because it is an xml file, a web server will not parse it and will instead expose it to users directly. Magento prevents this by including an .htaccess file that restricts access to that directory. However, this isn’t enough protection. .htaccess files are specific to the Apache web server. .htaccess is not supported by other web servers, such as nginx. This leaves users in the scenario where any web server other than Apache will default to a setup that allows anyone to download the local.xml file over the Internet.
Set the permissions on app/etc/local.xml
or /store/app/etc/local.xml
in your web server configuration.