File System cache > Configuration available from a browser !

[Prestadget]

Hello,

 

I am using FS cache, what a surprise to see my Paypal password available from a simple browser ! I don't know how the guy found the exact URL, but he browses to http://mystore.com/cache/cachefs/0...... and get the serialized configuration with all my paiement module password !!!!

 

I don't know yet if these information are critical or not.

 

My fault was to not secure this folder enough, same thing for tpl file... but after speak to another dev, its a big mistake to put the cache/temp folder available from the WEB !

 

So for next version, please move this folder !

[bellini13]

I concur, this would hold true for the smarty cache and compile code. It really should be moved out of the tools folder, and into a protected directory that resides outside of the web root.

 

Placing the following in the .htaccess file under the store root folder should help restrict access to the template files.

<FilesMatch ".tpl$">
order deny,allow
deny from all
</FilesMatch>

 

@Prestadget, I don't use filecache, could you send me a PM with the name format of those sensitive files? Do they end .tpl or some other extension?

Edited September 2, 2012 by bellini13 (see edit history)

[Prestadget]

tpl doesnot have precious information, but filesystem cache makes all your configuration .... public ! All your API keys & secrets.

 

With a simple HTTP crawler you can grab these files, fortunately nobody use filesystem cache (I don't, it was just a try ^^) but Prestashop guys should make this folder (also *.tpl, /config etc....) restricted from the web.

 

It's the most important security advice in PHP : DONT PUT ALL YOUR CODE UNDER WWW PUBLIC FOLDER

 

I tried something else, create a free cool module, 754 people downloaded & installed it, the module was a simple Facebook like box with a file browser in the ZIP, so I could change the paypal account of 754 stores ;-)