Admin Path Disclosure | APPSEC-1034 | SUPEE-6788

[dave-swift]

Bug type: Information Leakage
SUPEE-6788 Magento Patch Release Notes
SUPEE-6788 Magento Patch Technical Details

Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.

Text below is from Magento: SUPEE-6788 Technical Details. Without these changes, stores are forced to disable the security feature provided by this Magento patch.

Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.

If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)

Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.

For example the following config.xml file for a module:

<admin>
    <routers>
        <custom_module>
            <use>admin</use>
            <args>
                <module>custom_module</module>
                <frontName>custom_module</frontName>
            </args>
        </custom_module>
    </routers>
</admin>

Should be changed to:

<admin>
    <routers>
        <adminhtml>
            <args>
                <modules>
                    <custom_module after="Mage_Adminhtml">CustomModule_Adminhtml</custom_module>
                </modules>
            </args>
        </adminhtml>
    </routers>
</admin>