—

Why it Matters

Magento writes logs into var/log/ and sometimes into custom extension folders. If these logs are exposed through the web server, attackers can download them and gain access to sensitive data such as errors, file paths, SQL queries, API keys, or customer information.

Protecting application logs ensures only administrators can read them. Customers and search engines must never access raw logs. Proper log permissions and web server rules are critical to prevent information disclosure.

Verification Steps

# Logs should not be world-readable
ls -l var/log/

# Expected: 640 or stricter permissions

# Attempt to fetch logs over HTTP (should fail with 403/404)
curl -I https://yourstore.com/var/log/system.log
curl -I https://yourstore.com/var/log/exception.log

Remediation / Fix Guidance

1. Set strict permissions on var/log/:

   chmod -R 640 var/log
   chown -R magento:www-data var/log

2. Block direct web access to log files:

   # Nginx
   location ~* /var/log/ {
       deny all;
   }

   # Apache
   <Directory "/var/www/magento/var/log">
       Require all denied
   </Directory>

3. Monitor log rotation and ensure old logs are archived securely.
4. Use centralized logging (ELK, Graylog, Splunk) for production visibility.

Examples

# Publicly accessible log file
$ curl -I https://mystore.com/var/log/system.log
HTTP/1.1 200 OK
# Attackers can download logs → FAIL

# Logs restricted
$ curl -I https://mystore.com/var/log/system.log
HTTP/1.1 403 Forbidden
# Correctly blocked → PASS

References

• OWASP Top 10 — A05: Security Misconfiguration
• OWASP — Logging Cheat Sheet