Comments on: CSRF Attack Prevention http://inchoo.net/ecommerce/magento/csrf-attack-prevention/ Magento Design and Magento Development Professionals - Inchoo Thu, 09 Feb 2012 23:51:56 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Tomislav Bilic http://inchoo.net/ecommerce/magento/csrf-attack-prevention/comment-page-1/#comment-1199 Tomislav Bilic Wed, 04 Mar 2009 10:31:01 +0000 http://inchoo.net/?p=964#comment-1199 Fresh note! Looks like they solved this issue in new 1.2.1.2. version. Fresh note! Looks like they solved this issue in new 1.2.1.2. version.

]]> By: Ivan Weiler http://inchoo.net/ecommerce/magento/csrf-attack-prevention/comment-page-1/#comment-1180 Ivan Weiler Sun, 01 Mar 2009 23:03:09 +0000 http://inchoo.net/?p=964#comment-1180 Hey that's great. I was interested in reading original article, since they removed it. For all our readers, please feel free to post any additional info on this! Hey that’s great. I was interested in reading original article, since they removed it.

For all our readers, please feel free to post any additional info on this!

]]> By: B00MER http://inchoo.net/ecommerce/magento/csrf-attack-prevention/comment-page-1/#comment-1179 B00MER Sun, 01 Mar 2009 22:41:29 +0000 http://inchoo.net/?p=964#comment-1179 I reposted Artisans original post on the discovered vulnerability. http://www.molotovbliss.com/blog/2009/02/magento-security-vulnerability/ I would agree changing the admin url isn't a bad idea, However I'm still working on a means to password protect the admin directory via apache, as prevention is always better than reacting. I reposted Artisans original post on the discovered vulnerability.

http://www.molotovbliss.com/blog/2009/02/magento-security-vulnerability/

I would agree changing the admin url isn’t a bad idea, However I’m still working on a means to password protect the admin directory via apache, as prevention is always better than reacting.

]]> By: Crucial http://inchoo.net/ecommerce/magento/csrf-attack-prevention/comment-page-1/#comment-1178 Crucial Sun, 01 Mar 2009 21:35:12 +0000 http://inchoo.net/?p=964#comment-1178 Gotta love security through obscurity ;) While it's not the most sophisticated "fix," setting your admin path to a random hash or hard-to-guess path isn't a bad idea. You could use a password or hash generator to come up with a new admin path: http://www.pctools.com/guides/password/ http://www.miraclesalad.com/webtools/md5.php Then again, who wants to remember/type in something like: domain.com/b8e065255d5326ea3cf1f85b0dd764f3/ ...just to login to the admin. Gotta love security through obscurity ;)

While it’s not the most sophisticated “fix,” setting your admin path to a random hash or hard-to-guess path isn’t a bad idea.

You could use a password or hash generator to come up with a new admin path:

http://www.pctools.com/guides/password/
http://www.miraclesalad.com/webtools/md5.php

Then again, who wants to remember/type in something like:

domain.com/b8e065255d5326ea3cf1f85b0dd764f3/

…just to login to the admin.

]]>