I run a magento shop and figured out that there is a security risk. Users can download the logfiles under /var/log/
. If they go to https://www.example.com/var/log
then a 404 site shows but if they know the exact name of the logfile then they can download it e.g. with https://www.example.com/var/log/system.log
.
I readed that you can prevent this by placing a .htaccess file in any folder with the following content:
Order deny,allow
Deny from all
But I can still download the log. There is also another log in the same place named setup.log
which I can't download.
Both files have the permission set to 644
How can I secure my webserver?