Magento Cacheleak is an implementation vulnerability i.e. result of the bad implementation of web-server configuration for Magento platform.
With this, all private directories, including var/, var/backups/, var/cache/, var/session/ are exposed to the public, so it is possible for anyone gets the list of backups or sessions and download it, extract data values from cache files and finally obtain full control over your Magento installation.
Read More: Why and How to protect Magento stores running on PHP 5.6 OR 7.0?
How to check if your web-server configuration is vulnerable
Simply open var/, var/cache/, var/session/, var/backups/ directories in your browser, by appending them to your domain:
https://example.com/var/ or https://example.com/var/cache/.
Ideally, you should see 403 Forbidden or 404 Not Found page. If vulnerable, you will see directory listing allowing you to browse and download anything you like, would it be cached passwords or backup with the saved payment method of your customers.
How to secure it?
Ensure that .htaccess files or Nginx rewrite rules are in place
Navigate to var/, var/cache/, var/session/, var/backups/ directories via FTP, SSH or any FileManager and ensure that there is.htaccess in each directory. You may need to enable your FTP or SSH client to show hidden files (as files starting with dot character are considered hidden). If files are not there, upload any missing files from original Magento distribution. The.htaccess file contains just two lines:
Order deny,allow
Deny from all
You May Also Like: Speed up Magento 2
ServerGuy’s managed Magento hosting Platform is completely secure and customers are informed about any new Magento Security Patches and we can apply them on-demand free of charge.
We also take care of all the Magento Security best practices to minimize any such hacks and exploits. Contact Us for more details.
Enquire now and join 1000+ businesses who have blitzscaled their websites by choosing ServerGuy as their hosting partner.