Think you are hiding your Magento 2 store back-end URL?

As you may know, Magento recommends using a unique, custom Admin URL instead of the default “admin” or a common term such as “back-end”. Although it will not directly protect your site from a determined bad actor intending to steal your data, but it can reduce exposure to scripts that try to gain unauthorized access. Even though there is a custom URL set up for Admin, this does not necessarily mean that it will remain unexposed to someone, especially to attackers.

Recently, a vulnerability has been discovered that allows easily disclose the URL of back-end side in Magento 2. But don’t worry too much, here we shed some light on the issue and described some simple steps to secure your store.

Open Sesame…

The issue of Magento 2 store allows to disclose the URL of back-end side when user requests some particular routes containing “Adminhtml”. For example,

https://{base_url}/catalog/Adminhtml_category

where {base_url} is the domain name of your site.

Root of issue

If the requested URL contains Adminhtml word (the first or any other letter is uppercase) and requested route matches to back-end action then Magento uses a back-end controller (in case with catalog/Adminhtml_category Magento uses Magento\Catalog\Controller\Adminhtml\Category\Index) to dispatch the requested URL. However, customer is not a logged in admin user so that is why Magento redirects him to the admin login page and in the same time discloses it.

Who is affected?

All Magento 2 stores which are listed in the following table are affected (use this tutorial to detect a version of your store):

Branch Patched in version Vulnerable versions
2.3 2.3.2 <= 2.3.1
2.2 2.2.9 <= 2.2.8
2.1 2.1.18 <= 2.1.17

 

Panic or not panic…

There is no need for panic or alarm. Because if you know there is the door located that does not mean that you can open it without key. So, there is no reason to believe this issue would lead to compromise directly, but knowing the URL location could make it easier to automate attacks.

How to protect?

Magento has informed about this issue and already published a fix for it. Fix is provided in the PRODSECBUG-2432 security patch. For the Magento Open Source version patch can be downloaded here. In order to have Magento Commerce version patch downloaded you can sign up and use your Magento account.

Also, the patch for this issue is included into 2.1.18, 2.2.9 and 2.3.2 release versions.

What is next?

If your store is vulnerable to the issue described, there are several possible ways how to fix it:

  • Install a patch that will fix a current issue only;
  • Strongly recommended option: Install a whole PRODSECBUG-2432 security patch or upgrade your store to Magento version that contains a patch already;
  • Check your store with Magento Security Scan tool to verify for another security issues.

So, what are the results after you have checked your Admin URL? Have you secured it after reading this one or you have some questions unanswered? Don’t hesitate to leave them down below and thank you for reading!

Clients

Smart Brands Choose Us.

From Mark Cuban and Sir Richard Branson backed startups, to Inc 500 US Fastest Growing Companies and Global Brands choose us to deliver and support unparalleled eСommerce experience for their customers.