10 “what to do’s when setting up Magento” and file inclusion attacks

Leave a comment

Found this list of things “to do” on Twitter this morning.  I went over the list and saw that there was one item that was missing, which I feel is very important to do.  I saw it in another post on Local File Inclusion for which it seems like there was a local file inclusion vulnerability in Joomla (I think.  I didn’t read that far into it).

The thing on the list that was missing was securing your local file system when installing Magento.  The default installation asks for certain directories to be writable.  This is necessary for certain things.  But what we lazy installers sometimes do is just make the whole thing writable to make installation easier.  And while I am not aware of any specific Magento vulnerability like the one noted it is definitely a good practice to deny write access to all but the necessary files.  This is done by changing the permission settings on the files but changing the file ownership so that the web server user is unable to change the permissions to something more permissive.  And for the files that you need write access to you should deny access via either .htaccess or <directory> settings in httpd.conf so they can’t be called remotely.

So, the 11th thing to do is to secure your file system by denying write access to the server user that is running your Magento code.

Leave a Reply

Your email address will not be published. Required fields are marked *