0

I run a magento shop and figured out that there is a security risk. Users can download the logfiles under /var/log/. If they go to https://www.example.com/var/log then a 404 site shows but if they know the exact name of the logfile then they can download it e.g. with https://www.example.com/var/log/system.log.

I readed that you can prevent this by placing a .htaccess file in any folder with the following content:

Order deny,allow
Deny from all

But I can still download the log. There is also another log in the same place named setup.log which I can't download.

Both files have the permission set to 644

How can I secure my webserver?

https://magentary.com/kb/securing-magento-cacheleak/

Black
  • 136
  • 5
  • This is more of a systems administration question, but what web server are you running? there are additional notes in the link you provided on what do do when .htaccess files don't have effect. – HackneyB Feb 23 '19 at 22:34
  • The webserver runs on apache – Black Feb 24 '19 at 08:43
  • Well, since I'm a web developer and knows how to do sys admin on web servers, this just became a security issue... read between the lines and this is a pretty bad security issue. – Nelson Jul 08 '19 at 02:44

2 Answers2

1

I think this other question answers yours

https://serverfault.com/questions/22577/how-to-deny-the-web-access-to-some-files

You could use Files/FilesMatch and a regular expression:

<Files ~ "\.log$">
    Order allow,deny
    Deny from all
</Files>

or redirect any access of .log to a 404:

RedirectMatch 404 \.log$
AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
neonprimetime security
  • 936
  • 4
  • 15
1

This is a frame challenge answer...

The file structure seems to be setup incorrectly, and subsequently your logs are exposed to the internet. If the the file structure is setup properly, this wouldn't even be a problem to begin with.

If your logs are accessible by going to https://www.example.com/var/log, and that is accessing files from /var/log/ then your base URL is pointing directly to the root directory, which is Very Bad™.

Always put your HTTP files in a subdirectory like http, so going to https://www.example.com/ actually hits /http/

If that's already setup, then your logs are being stored in /http/var/log, so configure your logs not to put stuff into the web directory.

Nelson
  • 339
  • 2
  • 10
  • Im not sure how to change it, since this is magento standard. I would need to rewrite the core – Black Jul 08 '19 at 06:17
  • @Black That doesn't make sense. Apache controls this, not Magneto. Probably should dig into documentation to figure out how to set this up correctly. – Nelson Jul 08 '19 at 06:21
  • And don't take this lightly. Your current web server setup is stupidly insecure. If people are accessing your `/var/log/` files, and realize they're system logs, then they've already accessed all sorts of standard system config files already. – Nelson Jul 08 '19 at 06:25