Magento 2: “Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider”How Secure Are User Made PHP Files?Critical Reminder: Download and install Magento security patches. (FTP with no SSH access)New Magento install: Your current session has been expiredsomeone attacking my site by causing too much traffic…hosting says to: “make sure all your files and folders have correct permissions”Magento 2.1.2 installation readycheck failedhow to solve Dirty COW Linux OS Vulnerability Dirty COW (CVE-2016-5195)?Magento 2 - integrating Tawk.to chat issueMagento 2 Composer Error While Installing Tawk.to extensionImmense slow / hanging query when searching Magento 2Magento 2.3 no files in folder after installation
How to remove new line added by readarray when using a delimiter?
Complications of displaced core material?
Are runways booked by airlines to land their planes?
Why do the i8080 I/O instructions take a byte-sized operand to determine the port?
symmetric matrices with 1,2,3,4,5 in each line (and generalization)
Why is unzipped directory exactly 4.0K (much smaller than zipped file)?
Count all vowels in string
Can a kensei/swashbuckler use an offhand finesse weapon to trigger sneak attack, without using a bonus action?
Gravitational Force Between Numbers
One word for 'the thing that attracts me'?
Is it normal to "extract a paper" from a master thesis?
Who wrote “A writer only begins a book. A reader finishes it.”
I want to ask company flying me out for office tour if I can bring my fiance
Why does the hash of infinity have the digits of π?
Why is the Eisenstein ideal paper so great?
ifconfig shows UP while ip link shows DOWN
What did the 'turbo' button actually do?
Is this homebrew "Cactus Grenade" cantrip balanced?
Team has team lunch everyday, am I forced to go?
Was this scene in S8E06 added because of fan reactions to S8E04?
Unary Enumeration
Are PMR446 walkie-talkies legal in Switzerland?
Why does the painters tape have to be blue?
How can I get a refund from a seller who only accepts Zelle?
Magento 2: “Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider”
How Secure Are User Made PHP Files?Critical Reminder: Download and install Magento security patches. (FTP with no SSH access)New Magento install: Your current session has been expiredsomeone attacking my site by causing too much traffic…hosting says to: “make sure all your files and folders have correct permissions”Magento 2.1.2 installation readycheck failedhow to solve Dirty COW Linux OS Vulnerability Dirty COW (CVE-2016-5195)?Magento 2 - integrating Tawk.to chat issueMagento 2 Composer Error While Installing Tawk.to extensionImmense slow / hanging query when searching Magento 2Magento 2.3 no files in folder after installation
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
My Magento 2 development environment has started poking me with the following error message
Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider
Has anyone tracked down
- What security checks are happening?
- Where in the core code these checks happen?
magento2 php security
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
add a comment |
My Magento 2 development environment has started poking me with the following error message
Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider
Has anyone tracked down
- What security checks are happening?
- Where in the core code these checks happen?
magento2 php security
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
1
@AlanStorm, this message came fromMagentoAdminNotificationModelSystemMessageSecurityclass. which situation you got this message?
– Bojjaiah
Feb 12 '16 at 5:35
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
My Magento 2 development environment has started poking me with the following error message
Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider
Has anyone tracked down
- What security checks are happening?
- Where in the core code these checks happen?
magento2 php security
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
My Magento 2 development environment has started poking me with the following error message
Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider
Has anyone tracked down
- What security checks are happening?
- Where in the core code these checks happen?
magento2 php security
magento2 php security
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
asked Feb 12 '16 at 3:39
Alan StormAlan Storm
29.5k22124312
29.5k22124312
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
1
@AlanStorm, this message came fromMagentoAdminNotificationModelSystemMessageSecurityclass. which situation you got this message?
– Bojjaiah
Feb 12 '16 at 5:35
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
1
@AlanStorm, this message came fromMagentoAdminNotificationModelSystemMessageSecurityclass. which situation you got this message?
– Bojjaiah
Feb 12 '16 at 5:35
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
1
1
@AlanStorm, this message came from
MagentoAdminNotificationModelSystemMessageSecurity class. which situation you got this message?– Bojjaiah
Feb 12 '16 at 5:35
@AlanStorm, this message came from
MagentoAdminNotificationModelSystemMessageSecurity class. which situation you got this message?– Bojjaiah
Feb 12 '16 at 5:35
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
7 Answers
7
active
oldest
votes
This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.
The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).
MagentoAdminNotificationModelSystemMessageSecurity is responsible for this functionality. See the _isFileAccessible method.
It will surely risk Magento store.
edited May 15 at 20:24
Dinesh Rajput
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
add a comment |
If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.
The content of this file is supposed to be:
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
edited Oct 10 '18 at 7:25
Community♦
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
add a comment |
It's a system message and this message came from getText() method, class MagentoAdminNotificationModelSystemMessageSecurity.
When we open the Admin panel the controller checks the all notifications and it's related security.
you can debug from execute() method in MagentoAdminNotificationControllerAdminhtmlSystemMessageListAction.php.
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
MAGENTO 2 Centos 7 Server
To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".
1) ### shh- Run the following command from your root account. ###
chown -R accountuser:accountusergroup /path-to-root-folderl/
2) ### ssh - Run the following command from the domain account user(not your web server account such as apache etc). ###
find . -type d -exec chmod 770 ; & find . -type f -exec chmod 660 ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/pub,var chmod -R g+w /path-to-root-folderl/app/etc,vendor chmod -R g+s pub/static pub/media . find var/generation -type d -exec chmod g+s ; find var/session -type d -exec chmod g+s ;
3) ### ssh - Run the following command from your root account. ###
chown -R domain_account_user:webservergroup /path-to-root-folderl/var chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc chown -R domain_account_user:webservergroup /path-to-root-folderl/pub chown -R webserverUSER:webservergroup /path-to-root-folder/var/session
This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache. Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.
I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.
If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh . Run the command bellow from ssh . yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_event install ea-apache24-mod_cgid run quit
edited May 8 '16 at 12:37
Marius♦
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
add a comment |
In my case the problem was caused by the fact that the default store view was disabled. While the security check was made, the MagentoAdminNotificationModelSystemMessageSecurity class tried to download the app/etc/config.php file, an exception was thrown (Fatal error: Uncaught MagentoFrameworkExceptionNoSuchEntityException: Default store is inactive), which transformed the response code to 200 (normally it should result 404). So the system thought that the file is accessible, which would mean a security issue.
Just enable the default store view to fix this.
answered Feb 6 at 13:06
ZsoltiZsolti
55145
add a comment |
It's a directory and files permission problem I think.
Please give proper permissions like
0755 to directories
0644 to files, if it doesn't solve the issue please check the .htaccess file also.
answered Feb 12 '16 at 4:47
SuyogSuyog
637
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
add a comment |
These tests are present inside the class MagentoAdminNotificationModelSystemMessageSecurity and that notifictaion text comes from function getText() . I think magento checks the accessibilty of app/etc/* files and based on that shows the warning in admin panel.
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "479"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f101469%2fmagento-2-your-web-server-is-set-up-incorrectly-and-allows-unauthorized-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.
The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).
MagentoAdminNotificationModelSystemMessageSecurity is responsible for this functionality. See the _isFileAccessible method.
It will surely risk Magento store.
edited May 15 at 20:24
Dinesh Rajput
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
add a comment |
This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.
The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).
MagentoAdminNotificationModelSystemMessageSecurity is responsible for this functionality. See the _isFileAccessible method.
It will surely risk Magento store.
edited May 15 at 20:24
Dinesh Rajput
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
add a comment |
This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.
The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).
MagentoAdminNotificationModelSystemMessageSecurity is responsible for this functionality. See the _isFileAccessible method.
It will surely risk Magento store.
edited May 15 at 20:24
Dinesh Rajput
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.
The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).
MagentoAdminNotificationModelSystemMessageSecurity is responsible for this functionality. See the _isFileAccessible method.
It will surely risk Magento store.
edited May 15 at 20:24
Dinesh Rajput
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
edited May 15 at 20:24
Dinesh Rajput
52
edited May 15 at 20:24
Dinesh Rajput
52
edited May 15 at 20:24
Dinesh Rajput
52
52
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
answered Feb 12 '16 at 7:34
KAndyKAndy
16.4k23446
16.4k23446
add a comment |
add a comment |
If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.
The content of this file is supposed to be:
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
edited Oct 10 '18 at 7:25
Community♦
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
add a comment |
If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.
The content of this file is supposed to be:
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
edited Oct 10 '18 at 7:25
Community♦
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
add a comment |
If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.
The content of this file is supposed to be:
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
edited Oct 10 '18 at 7:25
Community♦
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.
The content of this file is supposed to be:
<IfVersion < 2.4>
order allow,deny
deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
edited Oct 10 '18 at 7:25
Community♦
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
edited Oct 10 '18 at 7:25
Community♦
1
edited Oct 10 '18 at 7:25
Community♦
1
edited Oct 10 '18 at 7:25
Community♦
1
1
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
answered Nov 21 '16 at 15:06
DynomiteDynomite
3421216
3421216
add a comment |
add a comment |
It's a system message and this message came from getText() method, class MagentoAdminNotificationModelSystemMessageSecurity.
When we open the Admin panel the controller checks the all notifications and it's related security.
you can debug from execute() method in MagentoAdminNotificationControllerAdminhtmlSystemMessageListAction.php.
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
It's a system message and this message came from getText() method, class MagentoAdminNotificationModelSystemMessageSecurity.
When we open the Admin panel the controller checks the all notifications and it's related security.
you can debug from execute() method in MagentoAdminNotificationControllerAdminhtmlSystemMessageListAction.php.
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
It's a system message and this message came from getText() method, class MagentoAdminNotificationModelSystemMessageSecurity.
When we open the Admin panel the controller checks the all notifications and it's related security.
you can debug from execute() method in MagentoAdminNotificationControllerAdminhtmlSystemMessageListAction.php.
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
It's a system message and this message came from getText() method, class MagentoAdminNotificationModelSystemMessageSecurity.
When we open the Admin panel the controller checks the all notifications and it's related security.
you can debug from execute() method in MagentoAdminNotificationControllerAdminhtmlSystemMessageListAction.php.
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
answered Feb 12 '16 at 5:45
BojjaiahBojjaiah
2,5403080
2,5403080
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
Useful information, but not what I asked. Some code in Magento clearly ran some systems tests and added that message. I want to know where those systems tests are.
– Alan Storm
Feb 12 '16 at 7:29
add a comment |
MAGENTO 2 Centos 7 Server
To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".
1) ### shh- Run the following command from your root account. ###
chown -R accountuser:accountusergroup /path-to-root-folderl/
2) ### ssh - Run the following command from the domain account user(not your web server account such as apache etc). ###
find . -type d -exec chmod 770 ; & find . -type f -exec chmod 660 ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/pub,var chmod -R g+w /path-to-root-folderl/app/etc,vendor chmod -R g+s pub/static pub/media . find var/generation -type d -exec chmod g+s ; find var/session -type d -exec chmod g+s ;
3) ### ssh - Run the following command from your root account. ###
chown -R domain_account_user:webservergroup /path-to-root-folderl/var chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc chown -R domain_account_user:webservergroup /path-to-root-folderl/pub chown -R webserverUSER:webservergroup /path-to-root-folder/var/session
This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache. Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.
I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.
If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh . Run the command bellow from ssh . yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_event install ea-apache24-mod_cgid run quit
edited May 8 '16 at 12:37
Marius♦
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
add a comment |
MAGENTO 2 Centos 7 Server
To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".
1) ### shh- Run the following command from your root account. ###
chown -R accountuser:accountusergroup /path-to-root-folderl/
2) ### ssh - Run the following command from the domain account user(not your web server account such as apache etc). ###
find . -type d -exec chmod 770 ; & find . -type f -exec chmod 660 ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/pub,var chmod -R g+w /path-to-root-folderl/app/etc,vendor chmod -R g+s pub/static pub/media . find var/generation -type d -exec chmod g+s ; find var/session -type d -exec chmod g+s ;
3) ### ssh - Run the following command from your root account. ###
chown -R domain_account_user:webservergroup /path-to-root-folderl/var chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc chown -R domain_account_user:webservergroup /path-to-root-folderl/pub chown -R webserverUSER:webservergroup /path-to-root-folder/var/session
This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache. Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.
I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.
If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh . Run the command bellow from ssh . yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_event install ea-apache24-mod_cgid run quit
edited May 8 '16 at 12:37
Marius♦
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
add a comment |
MAGENTO 2 Centos 7 Server
To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".
1) ### shh- Run the following command from your root account. ###
chown -R accountuser:accountusergroup /path-to-root-folderl/
2) ### ssh - Run the following command from the domain account user(not your web server account such as apache etc). ###
find . -type d -exec chmod 770 ; & find . -type f -exec chmod 660 ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/pub,var chmod -R g+w /path-to-root-folderl/app/etc,vendor chmod -R g+s pub/static pub/media . find var/generation -type d -exec chmod g+s ; find var/session -type d -exec chmod g+s ;
3) ### ssh - Run the following command from your root account. ###
chown -R domain_account_user:webservergroup /path-to-root-folderl/var chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc chown -R domain_account_user:webservergroup /path-to-root-folderl/pub chown -R webserverUSER:webservergroup /path-to-root-folder/var/session
This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache. Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.
I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.
If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh . Run the command bellow from ssh . yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_event install ea-apache24-mod_cgid run quit
edited May 8 '16 at 12:37
Marius♦
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
MAGENTO 2 Centos 7 Server
To fix message "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider".
1) ### shh- Run the following command from your root account. ###
chown -R accountuser:accountusergroup /path-to-root-folderl/
2) ### ssh - Run the following command from the domain account user(not your web server account such as apache etc). ###
find . -type d -exec chmod 770 ; & find . -type f -exec chmod 660 ; && chmod u+x bin/magento
chmod -R g+w /path-to-root-folderl/pub,var chmod -R g+w /path-to-root-folderl/app/etc,vendor chmod -R g+s pub/static pub/media . find var/generation -type d -exec chmod g+s ; find var/session -type d -exec chmod g+s ;
3) ### ssh - Run the following command from your root account. ###
chown -R domain_account_user:webservergroup /path-to-root-folderl/var chown -R domain_account_user:webservergroup /path-to-root-folder/app/etc chown -R domain_account_user:webservergroup /path-to-root-folderl/pub chown -R webserverUSER:webservergroup /path-to-root-folder/var/session
This will fix this error and many other error. Note: disable SUPHP when using magento 2, you will save yourself a lot of headache. Currently I'm running mod_mpm_event with ea-apache24-mod_cgid and PHP 7 and ea-php70-php-fpm.
I had my magento 2 running with just mod_mpm_event with ea-apache24-mod_cgid and PHP 7 before I added PHP-FPM.
If you are running cpanel/ apache and you don't want to use easyapache to move to mod_mpm_event + ea-apache24-mod_cgid you can use shell from ssh . Run the command bellow from ssh . yum shell remove ea-apache24-mod_mpm_worker remove ea-apache24-mod_cgi install ea-apache24-mod_mpm_event install ea-apache24-mod_cgid run quit
edited May 8 '16 at 12:37
Marius♦
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
edited May 8 '16 at 12:37
Marius♦
169k28326697
edited May 8 '16 at 12:37
Marius♦
169k28326697
edited May 8 '16 at 12:37
Marius♦
169k28326697
169k28326697
answered May 8 '16 at 11:45
willy alejowilly alejo
212
answered May 8 '16 at 11:45
willy alejowilly alejo
212
answered May 8 '16 at 11:45
willy alejowilly alejo
212
212
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
add a comment |
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
that is only going to work on some hosting environments.. could be really bad idea on others
– Andy
Jun 8 '17 at 18:39
add a comment |
In my case the problem was caused by the fact that the default store view was disabled. While the security check was made, the MagentoAdminNotificationModelSystemMessageSecurity class tried to download the app/etc/config.php file, an exception was thrown (Fatal error: Uncaught MagentoFrameworkExceptionNoSuchEntityException: Default store is inactive), which transformed the response code to 200 (normally it should result 404). So the system thought that the file is accessible, which would mean a security issue.
Just enable the default store view to fix this.
answered Feb 6 at 13:06
ZsoltiZsolti
55145
add a comment |
In my case the problem was caused by the fact that the default store view was disabled. While the security check was made, the MagentoAdminNotificationModelSystemMessageSecurity class tried to download the app/etc/config.php file, an exception was thrown (Fatal error: Uncaught MagentoFrameworkExceptionNoSuchEntityException: Default store is inactive), which transformed the response code to 200 (normally it should result 404). So the system thought that the file is accessible, which would mean a security issue.
Just enable the default store view to fix this.
answered Feb 6 at 13:06
ZsoltiZsolti
55145
add a comment |
In my case the problem was caused by the fact that the default store view was disabled. While the security check was made, the MagentoAdminNotificationModelSystemMessageSecurity class tried to download the app/etc/config.php file, an exception was thrown (Fatal error: Uncaught MagentoFrameworkExceptionNoSuchEntityException: Default store is inactive), which transformed the response code to 200 (normally it should result 404). So the system thought that the file is accessible, which would mean a security issue.
Just enable the default store view to fix this.
answered Feb 6 at 13:06
ZsoltiZsolti
55145
In my case the problem was caused by the fact that the default store view was disabled. While the security check was made, the MagentoAdminNotificationModelSystemMessageSecurity class tried to download the app/etc/config.php file, an exception was thrown (Fatal error: Uncaught MagentoFrameworkExceptionNoSuchEntityException: Default store is inactive), which transformed the response code to 200 (normally it should result 404). So the system thought that the file is accessible, which would mean a security issue.
Just enable the default store view to fix this.
answered Feb 6 at 13:06
ZsoltiZsolti
55145
answered Feb 6 at 13:06
ZsoltiZsolti
55145
answered Feb 6 at 13:06
ZsoltiZsolti
55145
answered Feb 6 at 13:06
ZsoltiZsolti
55145
55145
add a comment |
add a comment |
It's a directory and files permission problem I think.
Please give proper permissions like
0755 to directories
0644 to files, if it doesn't solve the issue please check the .htaccess file also.
answered Feb 12 '16 at 4:47
SuyogSuyog
637
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
add a comment |
It's a directory and files permission problem I think.
Please give proper permissions like
0755 to directories
0644 to files, if it doesn't solve the issue please check the .htaccess file also.
answered Feb 12 '16 at 4:47
SuyogSuyog
637
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
add a comment |
It's a directory and files permission problem I think.
Please give proper permissions like
0755 to directories
0644 to files, if it doesn't solve the issue please check the .htaccess file also.
answered Feb 12 '16 at 4:47
SuyogSuyog
637
It's a directory and files permission problem I think.
Please give proper permissions like
0755 to directories
0644 to files, if it doesn't solve the issue please check the .htaccess file also.
answered Feb 12 '16 at 4:47
SuyogSuyog
637
answered Feb 12 '16 at 4:47
SuyogSuyog
637
answered Feb 12 '16 at 4:47
SuyogSuyog
637
answered Feb 12 '16 at 4:47
SuyogSuyog
637
637
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
add a comment |
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
useful information, but not the information I asked for. I want to know where in the Magento core codebase these checks happen.
– Alan Storm
Feb 12 '16 at 5:07
add a comment |
These tests are present inside the class MagentoAdminNotificationModelSystemMessageSecurity and that notifictaion text comes from function getText() . I think magento checks the accessibilty of app/etc/* files and based on that shows the warning in admin panel.
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
add a comment |
These tests are present inside the class MagentoAdminNotificationModelSystemMessageSecurity and that notifictaion text comes from function getText() . I think magento checks the accessibilty of app/etc/* files and based on that shows the warning in admin panel.
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
add a comment |
These tests are present inside the class MagentoAdminNotificationModelSystemMessageSecurity and that notifictaion text comes from function getText() . I think magento checks the accessibilty of app/etc/* files and based on that shows the warning in admin panel.
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
These tests are present inside the class MagentoAdminNotificationModelSystemMessageSecurity and that notifictaion text comes from function getText() . I think magento checks the accessibilty of app/etc/* files and based on that shows the warning in admin panel.
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
answered Oct 26 '17 at 6:35
SarvagyaSarvagya
77521638
77521638
add a comment |
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f101469%2fmagento-2-your-web-server-is-set-up-incorrectly-and-allows-unauthorized-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
can u please tell me which version of 2,you have use
– Amit Bera♦
Feb 12 '16 at 5:16
@AmitBera With individual packages being composer repositories I'm not really sure how to check that
– Alan Storm
Feb 12 '16 at 5:17
1
@AlanStorm, this message came from
MagentoAdminNotificationModelSystemMessageSecurityclass. which situation you got this message?– Bojjaiah
Feb 12 '16 at 5:35
@magentotwo When I logged into the backend
– Alan Storm
Feb 12 '16 at 7:29