Lets use this example: http://demo.opencart.com/system/logs/error.log This is kind of a big deal since probes can see your directory structure and they may see some sensitive errors that leak something useful. Sure you cant browse the directory, but you can guess (or know) the log names.
There are a couple mods out there that have debug modes which, if used incorrectly, can expose highly sensitive data. In random search case we ran into today, Google indexed one of those files on someones defunct OC store and made it highly available to the public. The log in question was exactly that - a debug mode for a Card processor. It showed their API user and key, as well as a credit card number, free to the pub. The store was malfunctioning and may have turned the debug off long ago, but the log was still there and leaves a backtrace naming convention that haxors can test on other OC stores, en mass.
So how do you prevent this? First thing is to drop an .htaccess file into system/logs. The contents of the file should be something like this (to deny all traffic):
Code: Select all
Options -Indexes
deny from all
By doing this you can preemptively protect yourselves from future incidences involving this dir. Hope that helps ya'll button up your stores to protect debug, log, and error data leaks.