Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
Why hide admin url if everyone can find out what it is? 
 
Jakub@WebCatch
Sr. Member
 
Avatar
Total Posts:  215
Joined:  2009-11-06
Nottingham, UK
 

Hi everyone,

I just found out something about magento that scared me…

It is a common practice to define a unique url to the admin site and use it to replace the default magento_url/admin/ path. It is understandable that such an approach improves the security of a magento site not allowing the attackers to simply guess the entry point to the backend.

Today I discovered that it is pointless to hide the admin url, because everyone can find out what it is. All you have to do is to go to magento_url/downloader and click the link “Return to Magento Administration”. No matter how complicated your admin url, the attacker is right at your doorstep.

Is there any way to deal with this issue? I have two ideas:

1. Hide the downloader url as well. I am not sure if that is possible and how it will affect the downloader itself.
2. Remove the “Return to Magento Administration” link from the downloader login page. I am going to have a look at it now and will post any findings.

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 

Although I have changed my admin path, I never rely on security through obscurity, which is exactly what that is. But it still surprises me that the link is displayed even when not logged in. So one solution is to check for a logged in user and only then display the link. But to me that’s not enough, and I went with a completely different approach. If you don’t mind logging in twice, you can set up basic/digest authentication, so an attacker won’t even see that page at all. I went a step beyond that even. I am using digest authentication for both admin and the downloader, but it only displays the password dialog if I am connecting from an unknown IP address. So I just list all the IP’s I normally connect from, like home and work. If I am somewhere else like in a hotel room, I will get the password prompt and have to enter my credentials before I even see the Magento login screens. This provides an additional layer of security, and helps hide the fact that I am even using Magento at all.

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 

Here is an example of how I set up digest authentication with an IP address check.

<Location "/(mysecretadmin|downloader)(/|$)">
    <
IfModule mod_authn_file.c>
        
Order deny,allow
        Deny from all
        AuthName 
"Restricted"
        
AuthType Digest
        AuthUserFile 
/path/to/.htpasswd
        
Require valid-user
        Allow from 1.1.1.1 2.2.2.2
        Satisfy Any
    
</IfModule>
</
Location>

Just change “mysecretadmin” to your custom admin URL, change the path to the location of your .htpasswd file, and then list any IP addresses you might connect from in place of 1.1.1.1 and 2.2.2.2. This needs to be a space separated list.

Also, I believe this can only go in your Apache config file, not in a .htaccess file. If you don’t have a dedicated server or your host doesn’t give you access to your Apache config file, then you won’t be able to use the method I show. In that case, you can just set up basic authentication for the downloader directory inside your .htaccess file.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

In magento 1.4 the downloader will be removed from my understanding. This means it will not be a separate section of the site.

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 
ShopGuy - 23 November 2009 09:12 PM

In magento 1.4 the downloader will be removed from my understanding. This means it will not be a separate section of the site.

That’s really interesting. Where did you hear that?  It’s still there in alpha3.  I was hoping alpha4 would be released last week but that didn’t happen.  Hoping it comes this week…

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jakub@WebCatch
Sr. Member
 
Avatar
Total Posts:  215
Joined:  2009-11-06
Nottingham, UK
 

Quickest fix:

Go to the file /downloader/template/login.phtml and delete the following line:

<a class="f-right" href="<?php echo htmlentities($returnUrl) ?>">Return to Magento Administration</a>

I discussed this issue further on my blog entry.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Michael_1
Enthusiast
 
Total Posts:  826
Joined:  2007-08-31
 
i960 - 23 November 2009 09:27 PM

ShopGuy - 23 November 2009 09:12 PM
In magento 1.4 the downloader will be removed from my understanding. This means it will not be a separate section of the site.

That’s really interesting. Where did you hear that?  It’s still there in alpha3.  I was hoping alpha4 would be released last week but that didn’t happen.  Hoping it comes this week...

That’s not true. Magento Connect Manager will work in 1.4 RC and stable releases. Currently in 1.4-alpha(s) it might not work correctly and it is not recommended to use it in alpha-beta releases.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jakub@WebCatch
Sr. Member
 
Avatar
Total Posts:  215
Joined:  2009-11-06
Nottingham, UK
 

That’s not true. Magento Connect Manager will work in 1.4 RC and stable releases. Currently in 1.4-alpha(s) it might not work correctly and it is not recommended to use it in alpha-beta releases.

Hi Michael, if this is still going to last in the new version, do you have any other suggestions on how to hide the admin url? Do you think it will be possible to display it only if the user is logged in to the backend?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Michael_1
Enthusiast
 
Total Posts:  826
Joined:  2007-08-31
 

Yes, we will remove the “Return to admin” link from the login page, it will be visible only after user successfully logged in into the Magento Connect Manager.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ben Marks
Moderator
 
Avatar
Total Posts:  452
Joined:  2008-10-09
Isle of Palms, SC
 

Yes I believe Lee Saferite pointed this issue out to me awhile back.  Good job in removing it for future releases!

 
Magento Community Magento Community
Magento Community
Magento Community
 
i960
Guru
 
Avatar
Total Posts:  633
Joined:  2007-10-01
Bakersfield, CA
 
Michael - 24 November 2009 05:56 AM

Yes, we will remove the “Return to admin” link from the login page, it will be visible only after user successfully logged in into the Magento Connect Manager.

Well that takes care of this issue!  cool smile

 
Magento Community Magento Community
Magento Community
Magento Community
 
chx
Jr. Member
 
Total Posts:  16
Joined:  2010-01-18
 

What about the exposed downloader page?
People still can easily install or uninstall your extensions, can’t they?

 
Magento Community Magento Community
Magento Community
Magento Community
 
modernm
Member
 
Total Posts:  38
Joined:  2010-01-11
 

The best and most reliable way to deal with this issue is to use web server authentication like i960 mentioned. Almost all hosting providers that use Apache allow you to enable this feature via .htaccess. This will protect you from current and future issues. I would also still rename the folder.

Cal

 
Magento Community Magento Community
Magento Community
Magento Community
 
chx
Jr. Member
 
Total Posts:  16
Joined:  2010-01-18
 

-->modernm
Thanks, Cal!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Appmerce
Guru
 
Avatar
Total Posts:  376
Joined:  2008-05-13
Amsterdam, The Netherlands
 

Also, I would not recommend keeping your /downloader folder on a live site.  Keep it on a test site only., if that is manageable for your setup.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gui
Guru
 
Avatar
Total Posts:  588
Joined:  2008-03-09
 

@morningtime How would you do that? Just delete the folder or is there a special setup needed.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2