Magento Apache Configuration (App/Etc/Local.Xml Accessible Warning)

Magento Apache configuration (app/etc/local.xml accessible warning)

Magento uses .htaccess files in various directories to deny access to the directory trees. You will find them in app, media, var, and wherever else Magento sees fit to stick them. They do various things like deny viewing (app, var), executing (media .htaccess). For these .htaccess files to work, it is really important that the following be set in either the doc root .htaccess or in the virtual server configuration.

Options FollowSymLinks
AllowOverride All

More than likely, Magento detects that the app directory .htaccess file isn't being allowed to deny network access to your app/etc/local.xml file, so all your database credentials and encryption key are visible to anyone with a web browser.

Another issue might be that your file/directory permissions are too lax.

For Magento running under FastCGI, SuPHP or LSAPI

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh

For Magento running under DSO (mod_php)

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod o+w var var/.htaccess app/etc
chmod 550 pear #for Magento pre 1.5
chmod 550 mage #for Magento 1.5 and up
chmod 550 cron.sh
chmod -R o+w media

For the question below, the app/etc folder is supposed to have the following .htaccess file in place. Trying to read anything through the server should throw a 403 error. Your next step is to get in touch with your web hoster to find out why that file is not being honored.

Order deny,allow
Deny from all

Note: If you are using alternative http servers like nginx, you must search down all of the .htaccess files created in Magento's directory tree and recreate all the .htaccess functions used by Magento in your nginx setups so you have the same file/directory protections as a standard Apache DSO install. Same goes for Windows installations on IIS.

What are the security issues if the local.xml in Magento is publicly accessible?

The world would have your DB connection information, also the crypt key is right there so they can break all your customer's secure information.

Magento blocks access to etc from app via .htaccess in that directory.

Order deny,allow
Deny from all

Magento admin login failed on cloud server

This may help - this isn't my answer but I know its worked for people with the same issue.

Id put your password back as it was - hope you kept a backup!

If you are having trouble to get logged in with the correct username and password, here are some ideas. If you have used google chrome to install magento, use firefox to open magento and edit the app/code/core/Mage/Core/Model/Session/Abstract/Varien.php file within your magento directory and comment those below lines

    $cookieParams = array(
        'lifetime' => $cookie->getLifetime(),
        'path'     => $cookie->getPath()
        // 'domain'   => $cookie->getConfigDomain(),
        // 'secure'   => $cookie->isSecure(),
        // 'httponly' => $cookie->getHttponly()
    );

And use your credentials to log in. I hope this works for you!!!

---

Related Topics