cancel
Showing results for 
Search instead for 
Did you mean: 

Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Your web server is set up incorrectly and allows unauthorized access to sensitive files.

I wanted to share my experience dealing with this annoying message:

"Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider."

 

I think a lot of my issues are the result of using Openlitespeed for a web server.

I tried all sorts of solutions found on the Internet. Some did nothing and others broke the installation.

 

I determined that everything hinges on the permissions set for one file /app/etc/config.php.

No matter what permissions I set for config.php, and still have a functioning Magento, I get the error notice. I currently have the permissions set to 500 and owned by nobody:root

 

The error text comes from vendor/magento/module-admin-notification/Model/System/Message/Security.php

 

Here is the code for Security.php:

 

<?php
/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

namespace Magento\AdminNotification\Model\System\Message;

use Magento\Store\Model\Store;

/**
 * @api
 * @since 100.0.2
 */
class Security implements \Magento\Framework\Notification\MessageInterface
{
    /**
     * Cache key for saving verification result
     */
    const VERIFICATION_RESULT_CACHE_KEY = 'configuration_files_access_level_verification';

    /**
     * File path for verification
     *
     * @var string
     */
    private $_filePath = 'app/etc/config.php';

    /**
     * Time out for HTTP verification request
     *
     * @var int
     */
    private $_verificationTimeOut = 2;

    /**
     * @var \Magento\Framework\App\CacheInterface
     */
    protected $_cache;

    /**
     * @var \Magento\Backend\App\ConfigInterface
     */
    protected $_backendConfig;

    /**
     * @var \Magento\Framework\App\Config\ScopeConfigInterface
     */
    protected $_config;

    /**
     * @var \Magento\Framework\HTTP\Adapter\CurlFactory
     */
    protected $_curlFactory;

    /**
     * @param \Magento\Framework\App\CacheInterface $cache
     * @param \Magento\Backend\App\ConfigInterface $backendConfig
     * @param \Magento\Framework\App\Config\ScopeConfigInterface $config
     * @param \Magento\Framework\HTTP\Adapter\CurlFactory $curlFactory
     */
    public function __construct(
        \Magento\Framework\App\CacheInterface $cache,
        \Magento\Backend\App\ConfigInterface $backendConfig,
        \Magento\Framework\App\Config\ScopeConfigInterface $config,
        \Magento\Framework\HTTP\Adapter\CurlFactory $curlFactory
    ) {
        $this->_cache = $cache;
        $this->_backendConfig = $backendConfig;
        $this->_config = $config;
        $this->_curlFactory = $curlFactory;
    }

    /**
     * Check verification result and return true if system must to show notification message
     *
     * @return bool
     */
    private function _canShowNotification()
    {
        if ($this->_cache->load(self::VERIFICATION_RESULT_CACHE_KEY)) {
            return false;
        }

        if ($this->_isFileAccessible()) {
            return true;
        }

        $adminSessionLifetime = (int)$this->_backendConfig->getValue('admin/security/session_lifetime');
        $this->_cache->save(true, self::VERIFICATION_RESULT_CACHE_KEY, [], $adminSessionLifetime);
        return false;
    }

    /**
     * If file is accessible return true or false
     *
     * @return bool
     */
    private function _isFileAccessible()
    {
        $unsecureBaseURL = $this->_config->getValue(Store::XML_PATH_UNSECURE_BASE_URL, 'default');

        /** @var $http \Magento\Framework\HTTP\Adapter\Curl */
        $http = $this->_curlFactory->create();
        $http->setConfig(['timeout' => $this->_verificationTimeOut]);
        $http->write(\Zend_Http_Client::POST, $unsecureBaseURL . $this->_filePath);
        $responseBody = $http->read();
        $responseCode = \Zend_Http_Response::extractCode($responseBody);
        $http->close();

        return $responseCode == 200;
    }

    /**
     * Retrieve unique message identity
     *
     * @return string
     */
    public function getIdentity()
    {
        return 'security';
    }

    /**
     * Check whether
     *
     * @return bool
     */
    public function isDisplayed()
    {
        return $this->_canShowNotification();
    }

    /**
     * Retrieve message text
     *
     * @return \Magento\Framework\Phrase
     */
    public function getText()
    {
        return __(
            'Your web server is set up incorrectly and allows unauthorized access to sensitive files. '
            . 'Please contact your hosting provider.'
        );
    }

    /**
     * Retrieve message severity
     *
     * @return int
     */
    public function getSeverity()
    {
        return \Magento\Framework\Notification\MessageInterface::SEVERITY_CRITICAL;
    }
}

Notice this line 

private $_filePath = 'app/etc/config.php';
if ($this->_isFileAccessible()) {
            return true;
        }

 I changed "return true" to "return false" to kill the notice.

I know this is not the way to fix this but it's all I can do at my level of expertise.

4 REPLIES 4

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

I replied to this earlier... Where did my reply go ??? Smiley Sad

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Is there any solution for this issue?

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Hi @TexasGreg 

It may be because of improper file permissions or publicly exposed files.
Please refer https://magento.stackexchange.com/a/101496/3895 and 

https://www.mageplaza.com/kb/your-web-server-set-up-incorrectly-allows-unauthorized-access-sensitive... 

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

You need to do two things

1. Change your site URL from HTTP to HTTPS from admin

2. Change app/etc/config.php file permission to 660

If not showing yet, clear the cache with

php bin/magento c:c && php bin/magento c:f

3.Now change the append below code to the app/etc/env.php

'directories' => [
     'document_root_is_pub' => true 
]

4. Now switch the mode to production

bin/magento deploy:mode:set production
bin/magento cache:flush

5. Now switch back to developer mode

bin/magento deploy:mode:set developer
bin/magento cache:flush

Now check your store front-end and make sure it is working.