CSRF Vulnerability in Web Applications (and how to avoid it in the Magento Admin)
In a recent post on the artisansystem blog, there is a description of a CSRF (?) hypothetical attack on a Magento admin. It is important to note that for this attack to be possible, the attacker must know the admin path (frontName). If this is unknown to the attacker, the attack will result in a noroute and will not cause any harm.
The Magento Core Team has identified this vulnerability a few months ago, and as a solution introduced in previous releases a way to set a custom path to the administrative panel in the installation process and via the local configuration. Since this recent blog post puts at risk any Magento user that specified ‘admin’ as their path, we urge all users to specify a non-trivial alternative path to the admin that is known only to people that need to gain access to the admin panel.
Security is on top of our priorities when it comes to our users and we are constantly testing and resolving any issues as we become aware of them. We recommend always running the latest Magento version so that your installation is up to date with any security updates. A new security focused forum is now available to discuss such topics.
How to update admin path in an existing Magento installation
Disable all caches in System->Cache Management
In your app/etc/local.xml file, update the value under admin->routers->adminhtml->args->frontName to any custom value you wish your admin to run under.
Your resulting entry should look like this:
UPDATE: Original post by artisansystems has been removed.
