Magento 2.3.0: Magento Unprotected XML

Question

I'm getting the following vulnerability issue when using the Magento Security Scan:

We have determined that your Magento installation's configuration file(s) are publicly accessible over HTTP.

'.user.ini'

I see the .user.ini file in the root of my Magento install, but not sure what it's for or how to pass the vulnerability scan.

Any ideas?

Answer 1

The permissions for .user.ini can be -rw-r----- (or 640 in octal). This removes access for anyone other than owner and group members. (As Hunter said, you can check permissions by running ls -la in your Linux terminal/shell).

Our Magento 2.3 site is running with .user.ini permissions of 640, so I can verify they do work. I ran the security scan today and our permissions on .user.ini pass. (However, I notice that I also got a false positive for another issue so the scanner tool is not perfect.)

Regarding file and group ownership, our httpd service (Apache) runs as user and group apache. We give user apache read only access to .user.ini and we have a dedicated group named webdev (for developers) that has rw access to that file and is a member of wheel. apache is not a member of webdev and does not have sudo permission.

You can change owner and group in the Linux shell like this:

chown apache:webdev .user.ini

The command to create a group is groupadd on CentOS. See https://blacksaildivision.com/centos-create-user-group for more details.

Substitute your own user and group. It's best if the httpd service (apache) does not have write permissions on files in the DocumentRoot (pub/).

Answer 2

PRODSECBUG-1883: Leakage of Custom PHP settings from .user.ini File

Description:
Access to certain private files is not protected.

You can find more information about this and other bugs here.

This issue was addressed in 2.3.0. Make sure your permissions for .user.ini are set correctly. You may find this article helpful.

Permissions for .user.ini should be -rw-r--r--. Check by running ls -la in your linux console.