CSRF Vulnerability in Web Applications (and how to avoid it in the Magento Admin)

<p>In a recent blog post on <a href="http://artisansystem.com/blog/entry/33" title="http://artisansystem.com/">artisansystem.com</a>, there is a description of a CSRF (<a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery" title="?">?</a>) hypothetical attack on a Magento admin. It is important to note that for this attack to be possible, the attacker must know the admin path (<i>frontName</i>). If this is unknown to the attacker, the attack will result in a <i>noroute </i>and will not cause any harm.
</p>
<p>
The Magento Core Team has identified this vulnerability a few months ago, and as a solution introduced in previous releases a way to set a custom path to the administrative panel in the installation process and via the local configuration. Since this <a href="http://artisansystem.com/blog/entry/33" title="recent blog post">recent blog post</a> puts at risk any Magento user that specified ‘admin’ as their path, we urge all users to specify a non-trivial alternative path to the admin that is known only to people that need to gain access to the admin panel.
</p>
<p>
Security is on top of our priorities when it comes to our users and we are constantly testing and resolving any issues as we become aware of them. We recommend always running the latest Magento version so that your installation is up to date with any security updates. A <a href="http://www.magentocommerce.com/boards/viewforum/12897/" title="here">new security focused forum</a> is now available to discuss such topics.
</p>
<h5 class="accent">How to update admin path in an existing Magento installation</h5>
<p>
Disable all caches in System->Cache Management
</p>
<p>
In your app/etc/local.xml file, update the value under <i>admin->routers->adminhtml->args->frontName</i> to any custom value you wish your admin to run under.
</p>
<p>
Your resulting entry should look like this:
</p>
<p>
<img src="http://www.magentocommerce.com/images/uploads/configxml.jpg" style="border: 0;" alt="image" width="542" height="136" />
</p>
<br /><hr style="border:none; background:#bbb; height:1px; overflow:hidden;"/><table cellpadding="0" cellspacing="0" border="0"><tr><td valign="top" width="90" align="left"><a href="http://twitter.com/magento"><img src="http://www.magentocommerce.com/images/uploads/follow_magento_on_twitter.png" /></a></td><td valign="top" width="300" style="padding:0;">The latest from Magento's Twitter stream...<p><a href="http://twitter.com/magento/statuses/1259070023">link to extension http://tinyurl.com/bpp4n4</a></p></td></tr></table><div class="feedflare">
<a href="http://feeds2.feedburner.com/~ff/magento?a=CWPImElGPOA:udgfx04Neas:yIl2AUoC8zA"><img src="http://feeds2.feedburner.com/~ff/magento?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds2.feedburner.com/~ff/magento?a=CWPImElGPOA:udgfx04Neas:7Q72WNTAKBA"><img src="http://feeds2.feedburner.com/~ff/magento?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds2.feedburner.com/~ff/magento?a=CWPImElGPOA:udgfx04Neas:V_sGLiPBpWU"><img src="http://feeds2.feedburner.com/~ff/magento?i=CWPImElGPOA:udgfx04Neas:V_sGLiPBpWU" border="0"></img></a>
</div><img src="http://feeds2.feedburner.com/~r/magento/~4/CWPImElGPOA" height="1" width="1"/>

Lees verder...