During extension installation on one of our client’s magento site we found a surprising security flaw in the system. It turns out that no matter how complicated your custom admin url is, everyone can access it, no skills necessary.
You don’t believe it? Well, we couldn’t believe this either, but it really is true. Check it out yourself. Navigate to your_magento_url/downloader, and click on the “Return to Magento Administration” link.
TADA! You are at the login page for the magento admin. Remember when you created a secret admin url to make it difficult for hackers to conduct a brute force attack on your site? At present it seems that it was unnecessary, because the downloader is available to anyone, so your admin url is actually not secret at all.
We started a discussion on this topic on the official magento forum. In there you will find a very interesting approach to securing both the downloader and the admin shared by one of the users. One of the magento team members also took part in the discussion and told us that the link to admin site will be removed from downloader login page in version 1.4.
That’s all very well, but what can be done right now to prevent downloader from revealing the admin url? The fastest and simplest solution is to get rid of the link to the admin site. You can remove it by editing the file magento_root/downloader/template/login.phtml. You will need to remove the following line:
<a href=”<?php echo htmlentities($returnUrl) ?>”>Return to Magento Administration</a>
If you prefer, you might just comment it. If you choose this approach, be sure to comment both html and php. The final outcome should look like below:
<!–<a href=”<?php //echo htmlentities($returnUrl) ?>”>Return to Magento Administration</a>–>
Not that there is a html comment (<!– –>) around the whole <a> tag as well as a php comment (//) blocking the echo statement which outputs your admin url. If you forgot about the php comment, the admin url would still be sent to the browser, but would not be rendered. However, the user would be able to read it in the source.
Tags: Development, Ecommerce, Magento, security
Another way, more secure, of patching this is to deny access for /downloader to local IP only… or to deny it to anyone and to use pear from command line instead (which is much more secure).
You may also change the admin domain name from the Magento Admin Panel:
- System / Configuration,
- then Advanced / Admin,
- Admin Base URL and at last Custom admin URL
Then the link from the downloader page will be false and there would be not way of knowing the admin complete URL.
Denying access to downloader is a much better idea but you have to bear in mind that not every magento site owner knows how to do that. A good example was provided in magento forum post that I included before.
Setting the adminurl through admin interface is problematic to say the least. There are countless examples of sites that went down after using this feature. It seems that at the moment the safest method to change the admin url is to modify it in the config files, as described here.
I have been hunting all over for this! Finally I found it on Google.
Thanks.
me
Hydrolyze
I see that they have indeed removed the link in 1.4.0.0 – thank god for that. With our hosting company, the admin folder can be changed to anything during setup, which is a security improvement.
Great article, thanks for the share. Blog bookmarked
[...] magento version is lower than 1.4, your admin url is easily discoverable by anyone unless you do some additional tweaking. Share and [...]
Very good post. I just following your weblog and want to say i obtain really enjoyed learning your blogs.Any way I will be subscribing on to the rss feed and Wish you post again soon.
Hello, nice day. Amazing posting. You’ve gained a fresh subscriber. Pleasee keep going this great job and I look forward to more of your great sites.
This blog seriously keeps on improving every day. You should really be proud.
It is nice to know this. Thanks for the time and effort. It is well appreciated. More to come.
Thank you very much for the information great post, found it on Yahoo.
Great article Thank
you so much!
great information you write it very clean. I’m very lucky to get
this details from you.
Hello everyone thanks for
good information.
Really nice and impressive blog i found today.
Great article Thank
you so much!
Yes, that is true, I agree with you, but I am not sure if there are no other options.
thanks for great informations It’s a wonderful
nice share, good article, very usefull for me…thanks
thank! for this news it’s a good information !
Great article, thanks for the share. Blog bookmarked
Thank you for Posting & I got to read nice information on your site.
Thanks for posting! I really enjoyed the report. I’ve already bookmark
this article.