If you have this message when you are logged in your back-office, it’s because there is a misconfiguration in your Magento host. There are multiple reasons to have this message, and multiple ways to fix it
Why do I have this message displayed?
Since 1.4.2 version, back-office check from back-office if file app/etc/local.xml can be read through a browser (If the response code is a Apache 200 response code; This control is made by a CURL request on your unsecure_base_url/app/etc/local.xml URI) It’s very important not to be able to read this file from a webbrowser, because it contains your database parameters, cache and session configuration.
All files and folders in app folder are protected by a .htaccess file which denies access from everyone since it browses your Magento directory tree starting from the app folder:
Order deny,allow Deny from all
this directive is applied starting from .htaccess path and covers also subfolders, and so, local.xml file
Origins of the problem
.htaccess usage can be disturbed for three major reasons:
htaccess file doesn’t exist
For sure, if htaccess file does not exist, there is no restriction on who can read the local.xml file, and so, the security warning is displayed
htaccess files are not the access filename
By default in Apache configuration, the AccessFilename is set to .htaccess. It can be updated with the AccessFilename directive in webserver or virtual host configurations files.
So if value has been updated, .htaccess will not be read, and so ACL is not used
But if this is your study case, you should have more complex problems with your Magento 🙂
Cannot override the directories acccess control list
Apache configuration allows also to define which rules can be overrided in AccessFilename with AllowOverride directive
If you are a hosting provider, perhaps you don’t want that your clients can update in their AccessFilename some security directives. It can be done with the AllowOverride directive
Have a look at the official documentation to see the possible values for this directive
In this case, if AllowOverride directive is not well set, the .htaccess file is read, but the ACL defined is not used, and so, we can have access to your local.xml file
Because this directive is applied only to <Directory;> instruction, you must be able to edit the vhost configuration file to fix this issue. Ask your hosting provider if you cannot
Specifics rewriting rules
For one client, we encounter this case: we have updated some elements of the Magento directory tree and define some specific rewriting rules. local.xml file was not available, but CURL test receive a 200 error code because of a rewriting rule.
In this case, this is the test which is involved, not your security policy
Configuration is checked on the app/etc/local.xml file, but other sensibles informations can be fetch from your app directory
It’s a shame that everybody doesn’t take care of this security issue. Take a look at the google results, you’ll be surprised
If your configuration is well set, when you request the app/etc/local.xml file on your Magento, you should have the following error displayed