Magento cacheleak issue
Recently we got an email from Magento about cacheleak issue which leaks Magento stores passwords from cache if var directory is not properly secured and server is Nginx. Well, even apache server misconfiguration is vulnerable to this. This may be new to Magento team, but we knew this a year ago when we found out that most of Magento websites on internet are weakly configured and showing these sensitive information. Magento just exposed all those websites and they are now vulnerable to attacks! The issue itself is not a big find, and it not just exposes your stores mysql password but it’s very much more than that! Magento uses cache files even to store your 3rd party credentials like shipping and payment API keys, usernames and passwords, everything unencrypted!! This was the reason we never publicize these issues fearing it might lead to attacks on Magento featuring websites vulnerable to this.
Coming back to the issue, Magento names cache files pretty easily. It just encrypts your web root path (which can easily be known to strangers) takes first 3 characters and appends with CONFIG_GLOBAL to store all the credentials (mysql host, username, password, database name, all sensitive information stored in core_config_data table like FedEx, UPS, Paypal, Cybersource, anything you have configured in Magento without any encryption). This is possible when your server shows var directory content to the world. You can easily check if you are affected by this by navigating to var/resource_config.json (http://www.yoursite.com/var/resource_config.json) file. Ideally it should give you 403 Forbidden, but you can even redirect anyone who attempts to load anything from var directory to homepage. Below .htaccess code will redirect any request coming to your var directory to homepage, but still your application can use them to read/write things inside it. You should also not show any of your repository files information as they contain all your files and folders information to attackers.
RewriteRule .*\.git/.* - [F]
RewriteRule .*\.svn/.* - [F]
RewriteRule ^var/(.*)$ http://www.example.com [R=301,NC,L]
We have already built an extension months ago which specifically takes care of this issue. All of our customers who use our extension are safe and secure. Now that this issue is public, you should get the extension and install it on your store ASAP to stay secure from attackers!