When the notice went out about an admin security issue (CSRF vulnerability), one of the first things mentioned was to change the url of the admin login (security through obscurity). How does that stand against the standard method of extending admin panel for extensions? From what I see on my test server, I can access the admin panel through the usual /admin (well, the usual now being something like /secret_console34fdltT so that it’s not just /admin) but also through each and every extension’s own little admin access.
The usual generic admin access: index.php/admin
A module admin access: index.php/module/adminhtml_module/
Another module access: index.php/module/manage_module/
...and so on for each extension.
On the frontend, I can access the admin login through any one of those urls!
So does extending magento create a security weakness? How are we supposed to add changes to the admin panel that don’t create a 2nd, 3rd, or Nth admin access via the extensions own adminhtml?
How do we go about keeping the admin panel accessible only through the designated url when adding extensions?
All the extensions in Magento Connect that I have used, and I have added a bunch, have this same structure for accessing the admin. Does that make all of them potentially a weak link in the admin security?