Skip to content
English
maxcluster.de/en
  • There are no suggestions because the search field is empty.

ShopSecurity - Retrieving the configuration file local.xml

 How can I protect my local.xml?

Please note: The information in this article refers exclusively to our ShopSecurity tool, which you can use to check your shop installations for known and potential security vulnerabilities.

When the local.xml configuration file of your store system is unprotected, it allows attackers to penetrate the system.
  • The configuration file contains the most essential settings that must be available before the database connection is established, including the access data to the database and the URL of the backend.
  • Configuration data must be specially protected if it is located in a directory accessible from the web server, as is the case with Magento 1.
  • For Magento 1, the file can be found under the path app/etc/local.xml.

Solution: Prevent access to local.xml

It is mandatory that the configuration file exists in the specified location, so access to the file via the web server must be prevented. Depending on the active web server, access protection can be implemented as follows:

Example: Apache

Magento provides by default the file app/.htaccess, which blocks access to the directory app and all subdirectories and contained files. This file has the following content:

Order deny,allow
Deny from all

Other directories in your Magento installation that require protection usually also contain such a file (e.g. var).

  • Compare the version of .htaccess from an original installation archive of your Magento version with the file present in your installation to identify all missing entries.
  • Then copy the missing entries and .htaccess files to the designated place in your store installation directory.
You can't find the .htaccess file?

If you do not see a file named .htaccess anywhere in your store installation directory, this could be due to the settings of your FTP program. Because the filename .htaccess starts with a dot, this file will only be visible if you have activated the display of hidden files.
Also when accessing via SSH you have to enable the display of hidden files, for example by adding the parameter -a to the command ls.

Example: NGINX

When using NGINX, the protection must be built into the configuration of the domain concerned. For this purpose, use our application templates for Magento 1, in which the protection of the app directory and the local.xml is already integrated.

Alternatively, you can add the following line to userdefined.conf via the rule editor of the affected domain:

# block access to the "/app/" directory
location /app/ { return 403; }

Further recommended actions

  • Protect also the directories of the version control systems Git and SVN as well as the MacOS files .DS_Store from unauthorized access
  • Protect folders with log files (for Magento var/log) as well as configuration files (for Magento app/etc). When using Apache, this is usually already preset by the installation of your store system.
  • When using Apache, check in an existing .htaccess file whether access to corresponding directories or files is blocked. Also in the directories to be protected themselves .htaccess files can be contained.
  • When using NGINX, use our application templates, which already protect many application-specific folders and files.

If you require any further assistance, please contact our support team by phone at +49 5251/414130 or by email at support@maxcluster.de