Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
CSRF change = Completely broken admin panel
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

Using Latest 1.2.1

Hi. I followed what was said, (e.g. admin to adminnew) and it did nothing.

I then went on the admin panel to see if there was anything I had to change here. There was an option for something very similar under config.. i changed it to the same path name (e.g. Adminnew). It refreshed, and my entire admin now has no javascript, and the whole page looks like a sitemap, ie.e white bg with listed bullet text.

Its completely messed up. If i click on anything it goes back to /index.php/admin/tax_rate/importExport/ for example which brings a 404 error

If i try to log in by typing in the www.mysite.com/newadmin, it redirects to mysite.com/index.php/adminnew/adminnew/index.php/adminnew/dashboard/
Please help as I see no way back from this.

 
Magento Community Magento Community
Magento Community
Magento Community
 
PremierWeb
Jr. Member
 
Total Posts:  16
Joined:  2009-02-18
 

Be sure to clear out anything in the var/cache folder and reset any other caching options you have.  Also, a clear of your browser cookies will help.

 
Magento Community Magento Community
Magento Community
Magento Community
 
aarne
Sr. Member
 
Total Posts:  130
Joined:  2007-09-06
 

Please note, that if you have option “Add Store Code to Urls” on, this might not work since this option not only adds the store code to frontend but to backend as well. so the url becomes www.yoursite.com/admin/your_modified_admin_folder/

So in regards of this security risk, the option makes admin panel available under /admin at least someway.

I’ve reported this issue to bug tracker: http://www.magentocommerce.com/bug-tracking/issue?issue=5281

This security risk makes this bug more major in my opinion.

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

is it possible to delete the contents of the cache folder via FTP? Would that be safe?

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

I’d rather I was hacked than this mess.. I know its my fault for changing. But ARGH!!!!!!!!!!!!!!!!!!!!!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

another thing of note.. it says “This page requires AC_RunActiveContent.js”. in a pop up when I “log on”

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

I THINK i can solve it.. where are the files you edit in system / config / advanced / admin?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Cigar Joe
Jr. Member
 
Total Posts:  29
Joined:  2009-01-27
 

Initially I was truly impressed with Magento, but now after 2 months of pure hell I’m not sure what I got myself into

Every update is pure hell and it seems that just as I get all of the integration working Varian releases another bug ridden mess to contend with.

So today I see the message ‘Security’ this is something I MUST Address….. It seems SO SIMPLE. But of course it is not. 

My cache control on the backend is OFF
I cleared the image cache just for good measure
I went to var/cache and deleted all of the directories
I made the simple change in local.xml
Deleted – Temporary Internet Files, Cookies, History, Form Data, and Passwords from my browser
I re-booted my desktop

All Ready right? WRONG

Brought up the admin panel, logged in and 404 error.
Luckily when I change back to the original ‘admin’ it works.
Signed Frustrated…. Back to where i started, Another 2 hours from my day wasted and the project is behind again.

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

At least you have an admin panel that works!  I have nothing.. Please.. can anyone shed some light on this?

Using my sitemap style, none css or js admin panel I can see the Admin Base URL which I changes and caused this mess with but I cant change it back to “no”, as the button doesnt work as no CSS or js.

PLEASE!! Anyone?!

 
Magento Community Magento Community
Magento Community
Magento Community
 
darryla
Member
 
Total Posts:  52
Joined:  2008-07-08
 

This may be of help to some, its much of what is available in lots of locations in French, put into one post, in English, hope it is of help to some:

Magento Expert: CSRF Vulnerability - Solution in English

 
Magento Community Magento Community
Magento Community
Magento Community
 
stelio
Jr. Member
 
Total Posts:  7
Joined:  2008-10-15
 

WTF!!!!!!!!!

It not only broke the admin panel but the whole site is down.
I tried changing the local.xml back to the original version, nothing.
I tried clearing the va/cache directory, nothing.
I tried clearing my browser’s history/bookmarks/passwords/etc, nothing.

About the only thing that has any kind of affect is removing the local.xml file, then when I visit the site it acts as if though Magento was never loaded and wants to start a new install.

Stelio

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

I’m glad im not the only one.. Still have the same problem.. Please, will some Magento Admin put some input in here?

 
Magento Community Magento Community
Magento Community
Magento Community
 
stelio
Jr. Member
 
Total Posts:  7
Joined:  2008-10-15
 

There are two places to read error logs, one is in Magento at /var/report. You will need to ftp to your site and download the latest report file. Open with a text viewer and see what it says.

The other location is your webhost’s error logs. If you have admin access to your webhost account look for an Error Log icon or any link that says error log.

Between these two locations you should be able to find clues as to why your Magento install is not working.

My problem was that the local.xml file that I uploaded somehow had the wrong sql database info (ie db name, db use, db password). As such the Magento program could not connect to the database at startup.

Hope this helps.
Stelio

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

RE: Stelios.

Nope.. nothing. Unrelated errors only.

What I somehow need to find is a way to get that button working again, or find where the files are that you edit in system / config / advanced / admin?

Does anyone know this?

 
Magento Community Magento Community
Magento Community
Magento Community
 
R2D2
Jr. Member
 
Total Posts:  4
Joined:  2009-02-15
 

Hello.

I made exactly the same “mistake” theelman did. I solved it following this:

1) Restore the name admin (app/etc/local.xml) in <frontName><![CDATA[admin]]></frontName> just like it was originally
2) Go to database and find table “core_config_data”. On this table:
a) Search for admin/url/use_custom and set value as 0.
b) Search admin/url/custom and set value as 0
c) Erase 2 latest values added in this table: unsecure/base_url and unsecure/base_url (with scope = “stores”).
Those two lines are created when setting “Use custom admin URL” from control panel.
3) Erase content of “cache” folder in var/cache
4) Erase content of “session” folder in var/session
5) Erase cookies of browser
6) Try now your usual admin panel URL (i.e. http://yourdomain.com/admin)

That worked for me. I hope works for you too.

Greetings.

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 

OK in the Database, but I cant find what you said.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2