Post by lennyli » Sat Feb 04, 2017 10:58 am

I'm taking over admin of an opencart installation.
I'm quite shocked to see the error log being placed inside the html document root at the path
system/logs/error.txt

This information is supposed to be confidential to the administrator. Is it by default the apache/opencart get installed this way? Could hackers modify this file and execute some damaging instructions as I see the file is rwxrwxrwx .


Posts

Joined
Fri Jan 13, 2017 2:23 pm

Post by IP_CAM » Sat Feb 04, 2017 1:00 pm

A well done OC has an EMPTY Error Log. Everything else would be highly unprofessional.
But you could keep the Directory, and/or the File extension from beeing called directly (.txt), by
use of .htaccess as well, by making it look like:

Code: Select all

# Prevent Direct Access to files
<FilesMatch "(?i)((\.xml|\.txt|\.tpl|\.ini|\.log|(?<!robots)\.txt))">
 Order deny,allow
 Deny from all
</FilesMatch> 
Ernie

Ernie's OpenCart 1.5.6.5 light with responsive OC Bootstrap Themes:
http://www.evelo.li - http://www.bigmax.ch - http://www.hitline.info/ocshop/
Image


User avatar

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: No registered users and 24 guests