Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Think You Are Hiding Your Magento 2 Store Back-end Url?
Alex Taranovsky Avatar

As you may know, Magento recommends using a unique, custom Admin URL instead of the default “admin” or a common term such as “back-end”. Although it will not directly protect your site from a determined bad actor intending to steal your data, but it can reduce exposure to scripts that try to gain unauthorized access. Even though there is a custom URL set up for Admin, this does not necessarily mean that it will remain unexposed to someone, especially to attackers.

Recently, a vulnerability has been discovered that allows the easy disclosure of the back-end URL in Magento 2. But don’t worry too much, here we shed some light on the issue and described some simple steps to secure your store.

Open Sesame…

The issue within Magento 2 stores allows the disclosure of the back-end URL when a user requests certain routes containing “Adminhtml”. For example,

https://{base_url}/catalog/Adminhtml_category

where {base_url} is the domain name of your site.

Root of issue

If the requested URL contains Adminhtml word (the first or any other letter is uppercase) and requested route matches to back-end action then Magento uses a back-end controller (in case with catalog/Adminhtml_category Magento uses Magento\Catalog\Controller\Adminhtml\Category\Index) to dispatch the requested URL. However, if the customer is not a logged-in admin user, Magento redirects them to the admin login page, thereby disclosing it.

Who is affected?

All Magento 2 stores which are listed in the following table are affected (use this tutorial to detect a version of your store):

Branch Patched in version Vulnerable versions
2.3 2.3.2 <= 2.3.1
2.2 2.2.9 <= 2.2.8
2.1 2.1.18 <= 2.1.17

Panic or not panic…

There is no need for panic or alarm. Because if you know there is the door located that does not mean that you can open it without key. So, there is no reason to believe this issue would lead to compromise directly, but knowing the URL location could make it easier to automate attacks.

How to protect?

Magento has informed about this issue and already published a fix for it. Fix is provided in the PRODSECBUG-2432 security patch. For the Magento Open Source version patch can be downloaded here. In order to have Magento Commerce version patch downloaded you can sign up and use your Magento account.

Also, the patch for this issue is included into 2.1.18, 2.2.9 and 2.3.2 release versions.

What is next?

If your store is vulnerable to the issue described, there are several possible ways how to fix it:

  • Install a patch that will only fix the current issue;
  • Strongly recommended option: Install a whole PRODSECBUG-2432 security patch or upgrade your store to Magento version that contains a patch already;
  • Check your store with Magento Security Scan tool to verify for another security issues.

So, what are the results after you have checked your Admin URL? Have you secured it after reading this one or you have some questions unanswered? Don’t hesitate to leave them down below and thank you for reading!