Magento Cacheleak
Description
Magento Cacheleak is a configuration vulnerability that occurs when Magento e-commerce platforms are deployed on web servers that do not process .htaccess files. Magento's security model relies on Apache-style .htaccess files to restrict access to sensitive internal directories. When deployed on web servers like nginx that ignore these files by default, critical directories containing cache files, configuration data, and application code become publicly accessible, exposing sensitive information to unauthorized users.
Remediation
Configure your web server to explicitly deny access to Magento's internal directories. The specific implementation depends on your web server:
For nginx:
Add the following location blocks to your server configuration file (typically in /etc/nginx/sites-available/):
location ^~ /app/ { deny all; }
location ^~ /includes/ { deny all; }
location ^~ /lib/ { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/ { deny all; }
location ^~ /report/config.xml { deny all; }
location ^~ /var/ { deny all; }After making changes, test the configuration with
nginx -t and reload nginx with systemctl reload nginx.For Apache:
Verify that .htaccess files are enabled and the AllowOverride directive is properly set in your virtual host configuration.
Verification:
After applying restrictions, attempt to access https://yourdomain.com/var/ directly in a browser. You should receive a 403 Forbidden error. Review web server access logs for any successful requests to restricted directories and investigate potential prior compromises.