Magento Config Disclosure

Febna V M
Published on
20 Dec 2021


Magento’s configuration is saved in the file local.xml, which is located in the webroot under app/etc/local.xml. Because it is an xml file, a web server will not parse it and will instead expose it to users directly. Magento prevents this by including an .htaccess file that restricts access to that directory. However, this isn’t enough protection. .htaccess files are specific to the Apache web server. .htaccess is not supported by other web servers, such as nginx. This leaves users in the scenario where any web server other than Apache will default to a setup that allows anyone to download the local.xml file over the Internet.

Mitigation measures

Set the permissions on app/etc/local.xml or /store/app/etc/local.xml in your web server configuration.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment