Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 4
admin path does not change after altering local.xml…
 
rwone
Sr. Member
 
Total Posts:  174
Joined:  2009-02-12
 

re: CSRF Vulnerability in Web Applications (and how to avoid it in the Magento Admin)

i followed the instructions and changed, for example:

<admin>
        <
routers>
            <
adminhtml>
                <
args>
                    <
frontName><![CDATA[admin]]></frontName>
                </
args>
            </
adminhtml>
        </
routers>
     </
admin>

to:

<admin>
        <
routers>
            <
adminhtml>
                <
args>
                    <
frontName><![CDATA[somethingelse]]></frontName>
                </
args>
            </
adminhtml>
        </
routers>
     </
admin>

and the path to admin did not change and got a 404 error when entering sitename.com/store/somethingelse

magento ver 1.2.1

any ideas?

thank you smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
SaveInstant
Member
 
Avatar
Total Posts:  31
Joined:  2008-11-17
Calgary
 

I have similar problem:

I changed it to:

<frontName><![CDATA[newfolder/admin]]></frontName>

and still website logs in as www.website/admin

 
Magento Community Magento Community
Magento Community
Magento Community
 
SaveInstant
Member
 
Avatar
Total Posts:  31
Joined:  2008-11-17
Calgary
 

also tried:

<frontName><![CDATA[notadminnot]]></frontName>

still website logs with

website.com/admin

and 404 error with

website.com/notadminnot

 
Magento Community Magento Community
Magento Community
Magento Community
 
tmargraf
Jr. Member
 
Avatar
Total Posts:  11
Joined:  2008-03-07
 

I tried it and it works. But my Cache is deactivated. Could this be your problem?

 
Magento Community Magento Community
Magento Community
Magento Community
 
rwone
Sr. Member
 
Total Posts:  174
Joined:  2009-02-12
 

do u mean a cache in magento? is it possible to clear this cache? and can doing so muck up any other settings? seo etc?

thank you!

 
Magento Community Magento Community
Magento Community
Magento Community
 
tmargraf
Jr. Member
 
Avatar
Total Posts:  11
Joined:  2008-03-07
 

you can clear the cache in the magento backoffice in the system section. Or you can delete the cache directories at var/cache.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Antonio_
Member
 
Total Posts:  51
Joined:  2007-11-26
Italy
 

Done! working.. just refresh the cache and wizz! new admin path

 
Magento Community Magento Community
Magento Community
Magento Community
 
rwone
Sr. Member
 
Total Posts:  174
Joined:  2009-02-12
 

yes thanks for tip tmargraf, worked fo me too, cool smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
B00MER
Sr. Member
 
Avatar
Total Posts:  130
Joined:  2007-12-27
DFW, TX
 

Now if only you can somehow password protect the new url as well would be ideal secure solution if you ask me.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Fibo
Sr. Member
 
Avatar
Total Posts:  107
Joined:  2008-06-25
Marseille, France
 

I beg to differ, but changing the admin path IS NOT the solution to the problem.

Why:
- it does not rely on programmed security
- bust just on hiding dangerous URLs

.... which, by the way, could be discovered by just looking at your robots.txt if it is well done.

Protecting /admin/ by .htaccess would also be a solution… except that some updates from Varien will change it back to some non-protective setup.

The real solution is to patch the 3 single points of failure, those where data is entered as an assumed login or email and used without being sanitized…

Presumably, since security is high on Varien’s displayed priorities, these 3 patches should be released within hours…

In the meantime,
- don’t loose time and temper trying to change your admin path....
- temporarily install the patches suggested on a French site as exhibited at http://www.fragento.org/Bugs/9509-SECURITE-3-failles-XSS-dans-Magento-patchez.html#9509.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Pixxa
Sr. Member
 
Total Posts:  275
Joined:  2008-10-23
 
Fibo - 27 February 2009 01:56 AM

I beg to differ, but changing the admin path IS NOT the solution to the problem.

Why:
- it does not rely on programmed security
- bust just on hiding dangerous URLs

.... which, by the way, could be discovered by just looking at your robots.txt if it is well done.

Protecting /admin/ by .htaccess would also be a solution… except that some updates from Varien will change it back to some non-protective setup.

The real solution is to patch the 3 single points of failure, those where data is entered as an assumed login or email and used without being sanitized…


Presumably, since security is high on Varien’s displayed priorities, these 3 patches should be released within hours…

In the meantime,
- don’t loose time and temper trying to change your admin path....
- temporarily install the patches suggested on a French site as exhibited at http://www.fragento.org/Bugs/9509-SECURITE-3-failles-XSS-dans-Magento-patchez.html#9509.

I totally agree on this subject!

 
Magento Community Magento Community
Magento Community
Magento Community
 
jerwood
Member
 
Avatar
Total Posts:  42
Joined:  2009-01-09
 

I tried changing mine in the admin backoffice section and as soon as I selected the new custom path, I got a 404 error. Then, I went in to the local xml file and it said this:

<admin>
        <
routers>
            <
adminhtml>
                <
args>
                    <
frontName><![CDATA[admin]]></frontName>
                </
args>
            </
adminhtml>
        </
routers>
     </
admin>

So, now what? I can’t log in to my admin site. Was something else changed when I told the system>Configuration>Admin settings that I wanted a custom admin path?

Can anyone help me? I really am quite upset about this. Oh, and my cache is disabled.

Thank you.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Antonio_
Member
 
Total Posts:  51
Joined:  2007-11-26
Italy
 

I partially agree…
for sure the best solution is patch but make a bit more difficult hackers to bother us with brute-force attach isn’t bad at all.. is the same reason why we (sysadm) change the default port of ftp or ssh or we are pushed to make crazy passwords. Any way of protection, easy or hard, is a protection…
Thank you for the link I will check the patches

Pixxa - 27 February 2009 04:16 AM

Fibo - 27 February 2009 01:56 AM
I beg to differ, but changing the admin path IS NOT the solution to the problem.

Why:
- it does not rely on programmed security
- bust just on hiding dangerous URLs

.... which, by the way, could be discovered by just looking at your robots.txt if it is well done.

Protecting /admin/ by .htaccess would also be a solution… except that some updates from Varien will change it back to some non-protective setup.

The real solution is to patch the 3 single points of failure, those where data is entered as an assumed login or email and used without being sanitized…


Presumably, since security is high on Varien’s displayed priorities, these 3 patches should be released within hours…

In the meantime,
- don’t loose time and temper trying to change your admin path....
- temporarily install the patches suggested on a French site as exhibited at http://www.fragento.org/Bugs/9509-SECURITE-3-failles-XSS-dans-Magento-patchez.html#9509.

I totally agree on this subject!

 
Magento Community Magento Community
Magento Community
Magento Community
 
davidgrun
Sr. Member
 
Total Posts:  245
Joined:  2008-07-10
 

I changed local.xml, refreshed admin and nothing changed (because of cache)
so I changed the admin url path in the admin panel
deleted cache, and I can get into admin panel but without css and JS,
so I changed back local.xml to admin, deleted cache and refreshed
still I can’t see the css and JS doesn’t load.
I don’t know if I need to go into the DB and change back something to ‘admin’.

GOT A CLUE WHERE MIGHT THAT INFORMATION BE IN THE DATABASE??

Please help!!!
Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
Antonio_
Member
 
Total Posts:  51
Joined:  2007-11-26
Italy
 

Sorry to re-post.
I checked the link and I’m wondering why the guys from magento team are not fixing it!
someone better than me in french want to translate and put in the wiki?

Good work french community!

UPDATE: opened a bug - Issue #11232

 
Magento Community Magento Community
Magento Community
Magento Community
 
davidgrun
Sr. Member
 
Total Posts:  245
Joined:  2008-07-10
 

Translation from the french (just the steps)

Patches

1) For Downloader:  downloader\Maged\Model\Session.php
At line 58

Replace code:

if (!empty($_GET['return'])) {
$this
->set('return_url'$_GET['return']);
}

With :

if (!empty($_GET['return'])) {
$this
->set('return_url'htmlentities($_GET['return']));
}

2) Login page: app\design\adminhtml\default\default\template\login.phtml
line: 54

Replace code :

value="<?php echo $username ?>"

With:

value="<?php echo htmlentities($username) ?>"

3) app\design\adminhtml\default\default\template\forgotpassword.phtml
Line: 57

Replace code :

value="<?php echo $email?>"

With:

value="<?php echo htmlentities($email) ?>"
 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 4