Security – Why Magento POSTs to /app/etc/local.xml

Security

It seems to be initiated at admin operations, such as catalog save/edit. As seen in the logs. The client IP for the POST is the server's internal IP.

302 2014-08-30T06:43:40+00:00 POST /index.php/admin/catalog_product/save/id/8830/key/ee3cb37b55e431ada508af992e88abbb/ HTTP/1.1 
403 2014-08-30T06:43:40+00:00 POST /app/etc/local.xml HTTP/1.1 
200 2014-08-30T06:48:39+00:00 GET /index.php/admin/catalog_product/edit/id/8830/key/e5c6b7e5d662d8b4c39be5b31b761f28/ HTTP/1.1 
403 2014-08-30T06:48:39+00:00 POST /app/etc/local.xml HTTP/1.1

Best Answer

Ah, found the answer in the release notes:

Added verification of access level for app/etc/local.xml. * Now if server configuration has issue and this file accessible from browser admin user gets notification in backend.

Related Solutions

Magento – How does magento encrypt credit card numbers

According to Magento:

Strong Data Encryption, Hashing and Key Management Strong data encryption based on AES-256 and strong hashing based on SHA-256. Database keys are easily managed and updated.

From my understanding and some quick glances at code:

Community is mainly Mcrypt and Blowfish (ECB Mode) based, as Don pointed out in the comments.

Enterprise uses a custom class for PCI compliance which uses both Mcrypt and Blowfish as with different cyphers and stronger encryption.

MCRYPT_RIJNDAEL_128,MCRYPT_RIJNDAEL_256,HASH_VERSION_SHA256,etc.

https://en.wikipedia.org/wiki/Blowfish_(cipher)

Both using a combination of MD5, salting and hashes.

You can override the encryption models if you wished to use your own:

 /**
 * @return Mage_Core_Model_Encryption
 */
public function getEncryptor()
{
    if ($this->_encryptor === null) {
        $encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
        if ($encryptionModel) {
            $this->_encryptor = new $encryptionModel;
        } else {
            $this->_encryptor = Mage::getModel('core/encryption');
        }

        $this->_encryptor->setHelper($this);
    }
    return $this->_encryptor;
}

https://github.com/OpenMage/magento-mirror/blob/magento-1.9/app/code/core/Mage/Core/Helper/Data.php#L79

With that said, storing Credit Card data makes you a target and future legal issues possibly.

However I have seen scrapping hacks that are capturing data input before it is encrypted and logging it. So simply not storing them makes you immune either. This is proof that other exploits outside of Magento in its stack should always be considered.

As far as encryption strength, that would be a better question for:

https://crypto.stackexchange.com/

Magento – Security Risk of require_once ‘app/Mage.php’ in Root

Unless the script contains means by which to alter content in the Magento install via something like arguments sent to the script then no I don't see that it's a security risk - including Mage.php is only exactly what index.php (also at web root) does too.

Best Answer

Related Solutions

Magento – How does magento encrypt credit card numbers

Magento – Security Risk of require_once ‘app/Mage.php’ in Root

Related Topic