Magento Cacheleak is an implementation vulnerability i.e. result of the bad implementation of web-server configuration for Magento platform.

With this, all private directories, including var/, var/backups/, var/cache/, var/session/ are exposed to the public, so it is possible for anyone gets the list of backups or sessions and download it, extract data values from cache files and finally obtain full control over your Magento installation.

Read More: Why and How to protect Magento stores running on PHP 5.6 OR 7.0?

How to check if your web-server configuration is vulnerable

Simply open var/, var/cache/, var/session/, var/backups/ directories in your browser, by appending them to your domain:
https://example.com/var/ or https://example.com/var/cache/.

Ideally, you should see 403 Forbidden or 404 Not Found page. If vulnerable, you will see directory listing allowing you to browse and download anything you like, would it be cached passwords or backup with the saved payment method of your customers.

Services we offer:

  1. Managed Magento Hosting on Cloud.
  2. Managed WordPress Hosting for Growing Business.
  3. AWS Management | AWS Consulting Partners
  4. Managed DigitalOcean Cloud Hosting
  5. Managed Cloud Server India
  6. Dedicated Server India

How to secure it?

Ensure that .htaccess files or Nginx rewrite rules are in place

Navigate to var/, var/cache/, var/session/, var/backups/ directories via FTP, SSH or any FileManager and ensure that there is.htaccess in each directory. You may need to enable your FTP or SSH client to show hidden files (as files starting with dot character are considered hidden). If files are not there, upload any missing files from original Magento distribution. The.htaccess file contains just two lines:

Order deny,allow
Deny from all

You May Also Like: Speed up Magento 2

ServerGuy’s managed Magento hosting Platform is completely secure and customers are informed about any new Magento Security Patches and we can apply them on-demand free of charge.

We also take care of all the Magento Security best practices to minimize any such hacks and exploits. Contact Us for more details.

ServerGuy_icon_in_White

Grow with confidence backed by our fully Managed Hosting. Join 1000s of Brands & Agencies across the globe who trust us.

Bonus: Learn why Geo-Location of Your Hosting Server Matters

geo-location hosting server

Check your Inbox for eBook!