Vanwege de aard van het probleem is het onderstaande artikel geschreven in het Engels. Met een Engelstalig artikel hopen we shopeigenaren van over de hele wereld een how-to te bieden om het probleem op te lossen en hun shop goed te beveiligen.
Unprotected Magento version control systems
Lots of developers use version control systems for developing a Magento webshop. These version control systems such as Git and Subversion store their metadata in hidden folders. When left open via the web, they could reveal sensitive information such as passwords.
If .svn or .git directories are available/can be approached from the web, one can download (parts of) the full repository and, therefore, view all code and configurations of a shop, or retrieve passwords and other credentials stored in version control. This holds true even when “directory listing” is disabled.
What are the consequences for my webshop?
If the database passwords are also present in this repository, this may lead to hackers using the user name and password combination to add admin users to your Magento webshop. This way, they can take over the shop and cause great damage.
How do I secure my Magento?
At Byte, this is already prevented from happening through a modification in the web server configuration, which means that these files are not available. On other servers, a modification in the web server configuration by the hoster or in the .htaccess file is required.
If you host your webshop somewhere else, we recommend contacting your webhoster and asking them to block access to directories and files that start with a full stop (also known as a dot or period: “.”) .