Call us now on 0115 9738074

Posts Tagged ‘security’

Warning – an important security issue in Magento

Monday, November 30th, 2009

During extension installation on one of our client’s magento site we found a surprising security flaw in the system. It turns out that no matter how complicated your custom admin url is, everyone can access it, no skills necessary.
You don’t believe it? Well, we couldn’t believe this either, but it really is true. Check it out yourself. Navigate to your_magento_url/downloader, and click on the “Return to Magento Administration” link.
TADA! You are at the login page for the magento admin. Remember when you created a secret admin url to make it difficult for hackers to conduct a brute force attack on your site? At present it seems that it was unnecessary, because the downloader is available to anyone, so your admin url is actually not secret at all.

We started a discussion on this topic on the official magento forum. In there you will find a very interesting approach to securing both the downloader and the admin shared by one of the users. One of the magento team members also took part in the discussion and told us that the link to admin site will be removed from downloader login page in version 1.4.

That’s all very well, but what can be done right now to prevent downloader from revealing the admin url? The fastest and simplest solution is to get rid of the link to the admin site. You can remove it by editing the file magento_root/downloader/template/login.phtml. You will need to remove the following line:

<a href=”<?php echo htmlentities($returnUrl) ?>”>Return to Magento Administration</a>

If you prefer, you might just comment it. If you choose this approach, be sure to comment both html and php. The final outcome should look like below:

<!–<a href=”<?php //echo htmlentities($returnUrl) ?>”>Return to Magento Administration</a>–>

Not that there is a html comment (<!– –>) around the whole <a> tag as well as a php comment (//) blocking the echo statement which outputs your admin url. If you forgot about the php comment, the admin url would still be sent to the browser, but would not be rendered. However, the user would be able to read it in the source.

Tags: , , ,
Posted in Development, Magento | 23 Comments »