CSRF Attack Prevention

4 Comments 1st MAR 2009 | Posted by Ivan Weiler in Magento

CSRF Attack Prevention

If you login to your Magento admin today, you are welcomed with message box that says:

CSRF Attack Prevention Read details !

Yesterday Magento team acknowledged CSRF vulnerability and provided solution in a form of tutorial to change admin path (frontName) of your Magento shop.

I find this approach strange and funny at the same time. Is hiding vulnerability new way of fixing it? ;) Especially since some users of French Magento forums found similar problem in downloader (Magento connect manager). I can confirm this couse i tested it myself. The most funny part was that Magento cached my get request so i couldn’t get rid of my test alert box :)

Few fast tips for Magento admins:

1. Follow official Magento news, forums, updates.

2. Don’t click suspicious links. These kind of attacks are usually done through malformed links that admin clicks through mail, comment, or any other source.

3.  Clear “saved passwords” from browsers. Since most web browsers offer to remember passwords, and then autocomplete them,  these kind of attack could easily stole your password.

If you like what you read, please share it.

  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Bookmarks
  • Reddit
  • Technorati
  • Twitter
  • StumbleUpon
  • LinkedIn
  • Netvibes
  • NewsVine
  • Sphinn
  • Tumblr
  • Posterous

To post code in comments, place your code inside [code] and [/code] tags.

There are 4 comments (Add Yours +)

Leave a Comment

Please wrap all source codes with [code][/code] tags.
Magento Design and Development | Magento SEO | iPhone Application Development Web Application Development with ZEND | WordPress Ecommerce | WordPress development
Sitemap

Inchoo - webappsolutions | 2009