Magento Config File Disclosure
Description
Magento stores sensitive configuration data, including database credentials and encryption keys, in the app/etc/local.xml file. When web servers are improperly configured, this file may be accessible via direct HTTP requests, allowing unauthorized users to download and read its contents. This vulnerability typically occurs when directory access controls are not properly enforced or when the web server fails to restrict access to XML configuration files.
Remediation
Implement the following measures to prevent unauthorized access to configuration files:
1. Configure your web server to deny direct access to the app/etc/ directory and its contents. For Apache, add the following to your .htaccess file or virtual host configuration:
RedirectMatch 403 /app/etc/Or use:
<Directory /path/to/magento/app/etc/>
Require all denied
</Directory>2. For Nginx, add this location block to your server configuration:
location ~* /app/etc/ {
deny all;
}3. Verify that local.xml has restrictive file permissions (600 or 640) and is owned by the appropriate web server user.
4. Test the configuration by attempting to access https://yourdomain.com/app/etc/local.xml directly - it should return a 403 Forbidden error.
5. Consider moving sensitive configuration outside the web root if your hosting environment permits.