Magento uses .htaccess files in different directories to restrict access to directory trees. You will find them in the app, in the media, in var, and wherever Magento came up with to stick with them. They perform various actions, such as refusing to view (application, var), execution (media.htaccess). In order for these .htaccess files to work, it is very important that the following is set either in the .htaccess root directory or in the virtual server configuration.
Options FollowSymLinks AllowOverride All
More than likely, Magento discovers that the .htaccess directory file in the application does not allow to deny network access to your application file /etc/local.xml, so all your credentials and the encryption key are visible to everyone who has a web browser.
Another problem may be that your file / directory permissions are too weak.
For Magento running FastCGI, SuPHP or LSAPI
find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; chmod 550 pear #for Magento pre 1.5 chmod 550 mage #for Magento 1.5 and up chmod 550 cron.sh
For Magento running DSO (mod_php)
find . -type f -exec chmod 644 {} \; find . -type d -exec chmod 755 {} \; chmod o+w var var/.htaccess app/etc chmod 550 pear
For the question below , the following .htaccess file is assumed in the / etc application folder. Attempting to read something through the server should cause error 403. The next step is to contact your web host to find out why this file is not respected.
Order deny,allow Deny from all
Note. . If you use alternative HTTP servers such as nginx, you should look for all .htaccess files created in the Magento directory tree and recreate all the .htaccess functions used by Magento in your nginx so that you have the same file / directory protections that and a standard Apache DSO installation. The same goes for installing Windows in IIS.
Fiasco labs
source share