Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 2 of 4
admin path does not change after altering local.xml…
 
Mage4Frank
Jr. Member
 
Avatar
Total Posts:  18
Joined:  2008-09-13
Düsseldorf, NRW, Germany
 

It’s in table core_config_data. Search for admin/url/use_custom.

But I wouldn’t touch it. I killed my a test-system with playing around there. wink

 
Magento Community Magento Community
Magento Community
Magento Community
 
davidgrun
Sr. Member
 
Total Posts:  245
Joined:  2008-07-10
 

@Mage4Frank

Thanks for that!
I found it in the db and changed back
admin/url/use_custom 0
admin/url/custom admin/
and local is also [admin]

cleared cache on the server and local and still tries to go to www.myPage.com/custo_admin
the result is either 404 or login page without css and JS.

Where else should I be touching??? How weird.

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
darryla
Member
 
Total Posts:  52
Joined:  2008-07-08
 

As above, in more detail:

Magento Expert: CSRF Vulnerability - Solution in English

 
Magento Community Magento Community
Magento Community
Magento Community
 
fsens
Jr. Member
 
Avatar
Total Posts:  1
Joined:  2009-02-27
Paris, France
 

@davidgrun

i had the same problem, just got rid of it by deleting the 2 latest values added in db (core_config_data) after line “url/custom” => unsecure/base_url & secure/base_url, with scope = “stores”, not “default”.

edit: those 2 values were added by magento when setting “Use custom admin URL” (admin/url/use_custom) to “yes” via the admin panel.

 
Magento Community Magento Community
Magento Community
Magento Community
 
B00MER
Sr. Member
 
Total Posts:  130
Joined:  2007-12-27
DFW, TX
 
Fibo - 27 February 2009 01:56 AM

In the meantime,
- don’t loose time and temper trying to change your admin path....
- temporarily install the patches suggested on a French site as exhibited at http://www.fragento.org/Bugs/9509-SECURITE-3-failles-XSS-dans-Magento-patchez.html#9509.

Changing the admin path I admit isn’t a fix for this issue, however it IS a preventative measure.

While the patch listed does fix the Exploit that was found, but won’t protect you against any future exploits however, particularly in the admin.  Adding an Apache based password protection to the rewritten “admin” URL would be the best measure to add an extra layer of security to Magento’s back office functionality.

The best approach from a security stand point with ANY application is to be proactive and NOT reactive.

 
Magento Community Magento Community
Magento Community
Magento Community
 
davidgrun
Sr. Member
 
Total Posts:  245
Joined:  2008-07-10
 

@fsens

THANKS!! it did the trick.

 
Magento Community Magento Community
Magento Community
Magento Community
 
GelbachDesigns
Jr. Member
 
Total Posts:  8
Joined:  2009-02-13
 

I had the same problem with dropping Varien science on my Magento installation.
Hit like a bomb.

Awesome thing is, this time at least, the storefront is still visible.

I’ve tried multiple tips from multiple forums and to no avail, 404 upon admin entry. (this is having given up on security and trying to tuck tail and run back to ‘admin’)

The entries in the DB mentioned in this post aren’t showing up for me.

Any other ideas on how to get back to the functional back-end point? I’m a few hours into it and stumped.

 
Magento Community Magento Community
Magento Community
Magento Community
 
stelio
Jr. Member
 
Total Posts:  7
Joined:  2008-10-15
 

A 404 error should be getting logged in your web server’s error logs. If you have access to the log you might get an insight as to what file or lack of permission is causing the error.

Stelio

 
Magento Community Magento Community
Magento Community
Magento Community
 
jerwood
Member
 
Avatar
Total Posts:  42
Joined:  2009-01-09
 

Deleting those last two database lines did it for me!

Before that, I removed the value in

admin/url/custom
And, I entered 0 in the field:
admin/url/use_custom

Now I’m running like before I played around with that custom admin field!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Cigar Joe
Jr. Member
 
Total Posts:  29
Joined:  2009-01-27
 

Does anyone have any idea what to do about the 404 error?

Database core_config_data -
admin/url/custom="”
admin/url/use_custom=0

1. Logged in to back-end under the existing admin user and deleted cache
2. Site is still under development and cache has never been turned on but did it anyway
3. Deleted all sub-directories under var/cache
4. Updated local.xml as told ( I have tried many, many values, including adding a single character to admin such as adminn)
5. Went to my browser and deleted Temporary Internet Files, Cookies, history, From data, and Passwords.
6. Re-booted my workstation
7. typed the URL for my new Admin
8. I was given the screen to enter userid and password
9. Entered vales and received 404 error (for the 100th time/ for my 100 attempts to do this)

If I go to local.xml and replace my value with admin everthing seems to be back to normal. In other words I do not receive the 404 error.

Frustrated - Total time spent over 2 days = 4 hours (am I really this stupid !)

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gabriiiel
Guru
 
Avatar
Total Posts:  563
Joined:  2008-04-29
France - Paris
 

@ B00MER

While the patch listed does fix the Exploit that was found, but won’t protect you against any future exploits however, particularly in the admin.  Adding an Apache based password protection to the rewritten “admin” URL would be the best measure to add an extra layer of security to Magento’s back office functionality.

The best approach from a security stand point with ANY application is to be proactive and NOT reactive.

Thanks for your heads up but this is exactly what the Fragento.org community is saying. Please read the end of the subject on Fragento.org

@ davidgrun & Turistiamo : you’re welcome !

 
Magento Community Magento Community
Magento Community
Magento Community
 
davidnest
Jr. Member
 
Total Posts:  4
Joined:  2008-08-26
 

I was looking under Admin Base url with the fields “use custom admin url” yes or no and “custom Admin url”. Mine is set to “no” is this important, do I need to change this before I edit the files? and why can’t you just change the admin in the backend? Why do you need to go through the process of editing files? Has anyone tried it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
sysk
Member
 
Total Posts:  56
Joined:  2008-04-14
 
Cigar Joe - 28 February 2009 01:09 PM

Does anyone have any idea what to do about the 404 error?

Database core_config_data -
admin/url/custom="”
admin/url/use_custom=0

1. Logged in to back-end under the existing admin user and deleted cache
2. Site is still under development and cache has never been turned on but did it anyway
3. Deleted all sub-directories under var/cache
4. Updated local.xml as told ( I have tried many, many values, including adding a single character to admin such as adminn)
5. Went to my browser and deleted Temporary Internet Files, Cookies, history, From data, and Passwords.
6. Re-booted my workstation
7. typed the URL for my new Admin
8. I was given the screen to enter userid and password
9. Entered vales and received 404 error (for the 100th time/ for my 100 attempts to do this)

If I go to local.xml and replace my value with admin everthing seems to be back to normal. In other words I do not receive the 404 error.

Frustrated - Total time spent over 2 days = 4 hours (am I really this stupid !)

same problem here :(

 
Magento Community Magento Community
Magento Community
Magento Community
 
B00MER
Sr. Member
 
Total Posts:  130
Joined:  2007-12-27
DFW, TX
 
davidgrun - 27 February 2009 06:55 AM

Translation from the french (just the steps)

Patches

1) For Downloader:  downloader\Maged\Model\Session.php
At line 58

Replace code:

if (!empty($_GET['return'])) {
$this
->set('return_url'$_GET['return']);
}

With :

if (!empty($_GET['return'])) {
$this
->set('return_url'htmlentities($_GET['return']));
}


2) Login page: app\design\adminhtml\default\default\template\login.phtml
line: 54

Replace code :

value="<?php echo $username ?>"

With:

value="<?php echo htmlentities($username) ?>"


3) app\design\adminhtml\default\default\template\forgotpassword.phtml
Line: 57

Replace code :

value="<?php echo $email?>"

With:

value="<?php echo htmlentities($email) ?>"

Appears the latest 1.2.1.2 release includes similar patchs to the above…

http://www.magentocommerce.com/downloads/assets/1.2.1.2/1.2.1.1-1.2.1.2.diff

Can anyone confirm, it looks to be very similar code touching similar files, just a different approach?

 
Magento Community Magento Community
Magento Community
Magento Community
 
B00MER
Sr. Member
 
Total Posts:  130
Joined:  2007-12-27
DFW, TX
 
sysk - 03 March 2009 07:56 PM

same problem here :(

Look for /app/etc/local.xml.template

Look for the following:

<admin>
        <
routers>
            <
adminhtml>
                <
args>
                    <
frontName>{{admin_frontname}}</frontName>
                </
args>
            </
adminhtml>
        </
routers>
     </
admin>

Replace {{admin_frontname}} with <![CDATA[whateveradminurlyouwant]]>

Then copy this segment in /app/etc/local.xml after </global>

Be sure and disable ALL cache in the admin, like the original post mentions.  (this includes the checkboxes, not JUST the drop down to disable)

Looking at my admin->system->configuration->admin->"Admin Base URL” is set to “No” and this change works fine for me.  I did such with 1.2.1.2.

Hope this helps. wink

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 2 of 4