How to secure your Magento development files

in Security Tags: MagentoMagereportSecurity

In Magento 1.9.2.0 till 1.9.2.2 several development files were included in the standard install. They might reveal your passwords and other sensitive information. According to Magento, “these tests are not supposed to end up on production servers.”

Advice: configure your webserver to block requests to /dev/. This article explains how to secure your Magento development files.

Note: Byte & Hypernode block these files by default. If you have a plan with us, your site is secure already.

What are these files and what is the problem?

If you look under /dev, you will find that Magento has added many tests. This is a good thing, because it improves the quality of Magento code.

However, test and development files should generally not be available in the public web space, as they contain passwords and other credentials to perform the tests.

A default install will not contain sensitive information, however if the tests are actually used, this might change. And if somebody gets ahold of your database password, they effectively control your shop.

How do I fix it?

Do not just delete the /dev folder, as it will break future patches.

The best solution is to block these files on the web server level. This differs for Apache or Nginx:

Apache

Ensure that a file called /dev/.htaccess exists and contains the following lines:

Order deny,allow
Deny from all

Nginx

It depends on where your configuration is stored. If you have access to nginx.conf, add this snippet to the server { } definition of your shop:

location ^~ /dev/ { return 403; }

Need help?

We do not provide consultancy services on specific installations, but we know many highly skilled Magento professionals. If you need help, do not hesitate to contact one of these fine agencies.

12