Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Do extensions compromise admin security? 
 
Periculi
Sr. Member
 
Total Posts:  249
Joined:  2009-02-03
 

When the notice went out about an admin security issue (CSRF vulnerability), one of the first things mentioned was to change the url of the admin login (security through obscurity).  How does that stand against the standard method of extending admin panel for extensions?  From what I see on my test server, I can access the admin panel through the usual /admin (well, the usual now being something like /secret_console34fdltT so that it’s not just /admin) but also through each and every extension’s own little admin access. 

For example:
The usual generic admin access: index.php/admin
A module admin access: index.php/module/adminhtml_module/
Another module access: index.php/module/manage_module/
...and so on for each extension.
On the frontend, I can access the admin login through any one of those urls!

So does extending magento create a security weakness?  How are we supposed to add changes to the admin panel that don’t create a 2nd, 3rd, or Nth admin access via the extensions own adminhtml?

How do we go about keeping the admin panel accessible only through the designated url when adding extensions? 

All the extensions in Magento Connect that I have used, and I have added a bunch, have this same structure for accessing the admin.  Does that make all of them potentially a weak link in the admin security?

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

I still have no idea why admin is not a physical directory that can be protected with .htaccess?

All these solutions like custom admin URL etc are vulnerable to exploits.

A bit disappointing that this issue has not been addressed by Varien.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top