Deny Access to Your Log Folder

The system/logs folder is where all your logs should live. Its pretty dang useful for store owners, but its even more useful for nefarious profiling, sniffing, and gathering. By default OpenCart does not protect that directory very well.

Lets use this example: http://demo.opencart.com/system/logs/error.log This is kind of a big deal since probes can see your directory structure and they may see some sensitive errors that leak something useful. Sure you cant browse the directory, but you can guess (or know) the log names.

There are a couple mods out there that have debug modes which, if used incorrectly, can expose highly sensitive data. In random search case we ran into today, Google indexed one of those files on someones defunct OC store and made it highly available to the public. The log in question was exactly that - a debug mode for a Card processor. It showed their API user and key, as well as a credit card number, free to the pub. The store was malfunctioning and may have turned the debug off long ago, but the log was still there and leaves a backtrace naming convention that haxors can test on other OC stores, en mass.

So how do you prevent this? First thing is to drop an .htaccess file into system/logs. The contents of the file should be something like this (to deny all traffic): Next you need to make sure to delete any old or un-used logs. Heck, you can delete them all if you like, they will surely regenerate. Then make sure all of your production mods are set to safe-log mode, no-log mode, or a mode that will not expose sensitive data for debug purposes. To better hide PHP errors, edit your store settings under the "server" tab. Set the mode to "Display errors: No".

By doing this you can preemptively protect yourselves from future incidences involving this dir. Hope that helps ya'll button up your stores to protect debug, log, and error data leaks.

Oops, this is a rather poor sample of Glory, I assume. I could not sleep one minute, with such a file...
Lucky Me, you cannot see
http://bigmax.ch/shop/system/logs/error.log
Good Night!
Ernie

The latest version (2.0.1.1) includes some code in its .htaccess file to prevent direct access to files:
That should prevent anyone from accessing .tpl, .ini, .log. and .txt files on your site (other than robots.txt).

That's a good start. Should include .bak, .htaccess, .xml_ and .md too

Dhaupin wrote:That's a good start. Should include .bak, .htaccess, .xml_ and .md too

Good suggestions -- you should contribute them on github so they're included in future versions.

I'm new to OpenCart and have not seen anyone suggest moving the system or config files above web document root. Having these files outside of web document root so that they are not directly accessible via a browser. I test the structure below on my test server and everything seems to work fine. Just need to edit the config.php file and set the correct path and 2 lines in index.php.

Here is my directory structure, where public_html will be the web document root.

/oc_sys/
catalog/config.php
admin/config.php
system/
/public_html/
catalog/
image/
admin/
index.php
crossdomain.xml
php.ini