CSRF Attack Prevention

Featured Image

If you login to your Magento admin today, you are welcomed with message box that says:

CSRF Attack Prevention Read details !

Yesterday Magento team acknowledged CSRF vulnerability and provided solution in a form of tutorial to change admin path (frontName) of your Magento shop.

I find this approach strange and funny at the same time. Is hiding vulnerability new way of fixing it? ;) Especially since some users of French Magento forums found similar problem in downloader (Magento connect manager). I can confirm this couse i tested it myself. The most funny part was that Magento cached my get request so i couldn’t get rid of my test alert box :)

Few fast tips for Magento admins:

1. Follow official Magento news, forums, updates.

2. Don’t click suspicious links. These kind of attacks are usually done through malformed links that admin clicks through mail, comment, or any other source.

3.  Clear “saved passwords” from browsers. Since most web browsers offer to remember passwords, and then autocomplete them,  these kind of attack could easily stole your password.

4
Top

Care to rate this post?

Author

Ivan Weiler

Technical Educator and Consultant

Ivan is a Technical Educator and Consultant. He gained lots of experience managing some of the most complex Magento projects we had at Inchoo.

Other posts from this author

Discussion 4 Comments

Add Comment
  1. Gotta love security through obscurity ;)

    While it’s not the most sophisticated “fix,” setting your admin path to a random hash or hard-to-guess path isn’t a bad idea.

    You could use a password or hash generator to come up with a new admin path:

    http://www.pctools.com/guides/password/
    http://www.miraclesalad.com/webtools/md5.php

    Then again, who wants to remember/type in something like:

    domain.com/b8e065255d5326ea3cf1f85b0dd764f3/

    …just to login to the admin.

  2. I reposted Artisans original post on the discovered vulnerability.

    http://www.molotovbliss.com/blog/2009/02/magento-security-vulnerability/

    I would agree changing the admin url isn’t a bad idea, However I’m still working on a means to password protect the admin directory via apache, as prevention is always better than reacting.

  3. Hey that’s great. I was interested in reading original article, since they removed it.

    For all our readers, please feel free to post any additional info on this!

  4. Fresh note! Looks like they solved this issue in new 1.2.1.2. version.

Add Your Comment

Please wrap all source codes with [code][/code] tags.
Top