Securing Magento from Cacheleak, Backupleak and Sessionleak vulnerabilities

Securing Magento from vulnerabilities

Magento Cacheleak is an implementation vulnerability i.e. result of the bad implementation of web-server configuration for Magento platform.

With this, all private directories, including var/, var/backups/, var/cache/, var/session/ are exposed to the public, so it is possible for anyone gets the list of backups or sessions and download it, extract data values from cache files and finally obtain full control over your Magento installation.

Read More: Why and How to protect Magento stores running on PHP 5.6 OR 7.0?

How to check if your web-server configuration is vulnerable

Simply open var/, var/cache/, var/session/, var/backups/ directories in your browser, by appending them to your domain:
https://example.com/var/ or https://example.com/var/cache/.

Security magento Cacheleak

Ideally, you should see 403 Forbidden or 404 Not Found page. If vulnerable, you will see directory listing allowing you to browse and download anything you like, would it be cached passwords or backup with the saved payment method of your customers.

How to secure it?

Ensure that .htaccess files or Nginx rewrite rules are in place

Navigate to var/, var/cache/, var/session/, var/backups/ directories via FTP, SSH or any FileManager and ensure that there is.htaccess in each directory. You may need to enable your FTP or SSH client to show hidden files (as files starting with dot character are considered hidden). If files are not there, upload any missing files from original Magento distribution. The.htaccess file contains just two lines:

Order deny,allow
Deny from all

You May Also Like: Speed up Magento 2

ServerGuy’s managed Magento hosting Platform is completely secure and customers are informed about any new Magento Security Patches and we can apply them on-demand free of charge.

We also take care of all the Magento Security best practices to minimize any such hacks and exploits. Contact Us for more details.

Magento- Hosting

Enquire now and join 1000+ businesses who have blitzscaled their websites by choosing ServerGuy as their hosting partner.

Latest Magento Tips, Guides, & News

Stay updated with new stuff in the Magento ecosystem including exclusive deals, how-to articles, new modules, and more. 100% Magento Goodness, a promise!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide

+1.714.2425683

India

+91.9852704704

Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.