Magento – Security Risk of require_once ‘app/Mage.php’ in Root

Security

I have a file in my Magento root that require_once 'app/Mage.php'; to give me access to Mage::getStoreConfig system variables.

Does this cause a security risk? Should I place it in another folder?

This is my file, /twitter.php:

<?php
require_once 'app/Mage.php';
Mage::app();
$consumer_key = Mage::getStoreConfig("Social/twitterapi/consumer_key");
$consumer_secret = Mage::getStoreConfig("Social/twitterapi/consumer_secret");
$oauth_access_token = Mage::getStoreConfig("Social/twitterapi/access_token");
$oauth_access_token_secret = Mage::getStoreConfig("Social/twitterapi/access_token_secret");

Best Answer

Unless the script contains means by which to alter content in the Magento install via something like arguments sent to the script then no I don't see that it's a security risk - including Mage.php is only exactly what index.php (also at web root) does too.

Related Solutions

Magento – How to disable access to local.xml and config.xml for external visitors

You should have a app/.htaccess file with this in it:

Order deny,allow
Deny from all

First double check that that file is there. If it is, ask your server admin or hosting company if your server supports .htaccess files. Some hosts restrict .htaccess stuff.

Hope that helps!

Fix Fatal Error: Class ‘Mage_Install_Controller_Router_Install’ Not Found

You need to disable the compiler and cleared the cache run this command in ssh:

$ php shell/compiler.php disable

For more see here

Related Topic

How to Check Which Modules Are Affected by Security Patch SUPEE-6788