How to secure Magento Cacheleak

in Security Tags: MagentoMagereportSecurity

A misconfigured webserver can leak Magento cache files containing database passwords. This is possible, because internal cache files are stored in the public document space of Magento. Default protection is included in the Magento installation, but this not always activated, especially with modern webservers such as Nginx.

What Magento Cacheleak?

The vulnerability is a compound of three problems:

Predicting filenames

Magento stores its internal data, such as database passwords, in cache files on disk. These file names are seemingly random. Most webservers do not expose file names by default, but the problem is that they can be predicted. The file names consist of <a href=”https://en.wikipedia.org/wiki/Adler-32″>adler32</a>/<a href=”https://en.wikipedia.org/wiki/MD5″>md5</a> hashes derived from the installation path. Once you know the path, you know the cache file locations.

Finding out the secret install path

The secret installation path can be retrieved from various sources, such as get.php, resource_config.json, the system.log or exception.log.

Apache vs. Nginx

Magento has built-in protection of internal data (/var) when the Apache webserver is used (using .htaccess files). However, big sites are switching to modern webservers such as Nginx (23% runs Nginx as of August). Default protection doesn’t hold and manual intervention is required by the administrator.

What are the consequences?

When the above conditions are met, a malicious person can anonymously fetch the internal Magento cache and thus obtain secrets such as the database password. This password gives access to customer and payment data.

How do I fix it?

Byte customers who run their Magento shop on the Hypernode platform are already protected against this and many other security risks.

If you are hosting elsewhere, it all depends on your webserver.

Apache

If you are using Apache and MageReport says you are susceptible to Cacheleak, it means that your .htaccess files are not activated. Verify that there is at least a .htaccess file under /var. If there is one, check with your server administrator whether .htaccess controls are enabled.

Nginx

Many people are switching over to Nginx. At the very least, you should make sure your server definition contains a line like this:

location ^~ /var/ { return 403; }

However, because Nginx location rules are matched in a non-trivial way, you should verify that there are no other rules that take precedence. For reference, here is (a subset of) the battle tested config that our customers on the Hypernode platform enjoy.

Need help?

Magento is no easy open source CMS.¬†Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers.¬†Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

6