Why leaving the /var folder unprotected is so dangerous

Why leaving the /var folder unprotected is so dangerous

A simple misconfiguration can leave your site open to hacking or stealing of customer information.

Scroll Down for more info

I use MageReport.com all the time. It is a super fast way to double-check that our clients’ websites have been patched, as well as a third-party mechanism to show them that they have been patched. They don’t just examine patches but also common server configuration vulnerabilities.

The Story:

Would it be of concern to you if, as an online retailer, you work to maintain a secure storefront only to find out that you had missed something small but with huge ramifications?

Recently, I came across a website (which will remain unnamed) that illustrates this well. The public side of the website is quite good. If they are like any other online retailer, they work hard to ensure their security is top notch.

However, MageReport.com indicated there was a problem with the /var folder. Typing in this company’s domain name and adding /var to the end produced this result:

A unprotected var folder

The idea behind the /var folder in Magento is to store temporary information about the Magento instance. It can be deleted and the system will still run well. This can be a major source of information leakage as your are about to see. By the way, I am not spilling any beans to hackers as they know this and plenty more about getting into Magento.

The Files:

Let’s look at a few files and learn what they often store:

  • /var/cache:
    • Since this contains all cached information (unless you use redis or something similar), people can find module information, database records, and maybe even admin login email addresses.
  • /var/importexport:
    • This folder often contains the product / customer exports that you have performed. Nefarious browsers can obtain your entire product or customer database, if they are left here.
  • /var/log:
    • system.log: any logs that the system outputs (if logging is enabled). Not infrequently, if entire objects (a programming term for a container that stores information) are logged, database access credentials can be present. Additionally, you may find information about SQL injection vulnerabilities in this place. Sometimes you can also locate Paypal transaction information here.
    • exception.log: any serious problems that the website experiences.
    • payment_paypal_express.log: this contains customer information (names, emails, postal addresses, phone numbers, your Paypal email address, etc.)
  • /var/report:
    • Detailed information about serious problems (similar to /var/log/exception.log)
  • /var/session:
    • Customer session information: such as their login email, browser information and session name (something that can be used to hijack their session and possibly purchase products on their behalf).
  • Database dumps?
    • You may even have entire database dumps that are visible (sharing with the world every order you have had, administrator login information, your product information: everything).

The Fix:

The solution is very simple. The first thing you need to determine is what type of web server you are using. Go to this page and enter in your domain name. Based on the name of the “web server” field, proceed with Apache or Nginx:

Apache:

Create a file in the /var folder with the name .htaccess. Write the following words in it: Deny from all

Nginx

Contact your server administrator to update your configuration for this folder.

This is a easy solution to a potentially huge problem. Will you take a minute to check your website on MageReport.com? Additionally, would you check the /var folder (for example, https://swiftotter.com/var) to ensure that you are not leaking important customer secrets to the Internet?

SwiftOtter, Inc.
It relates to Magento 1 and Security.
Joseph Maxwell - president / senior developer at Swift Otter

President / senior developer at SwiftOtter - @josephmaxs