The 27th of october, Magento released a security patch to fix several security issues.

Belong others, this security patch prevents to reach the magento admin panel login screen using a module admin url.

This new security patch is disabled by default, however, if you enable it (system > configuration > admin > security > Admin routing compatibility mode for extensions), not compatible extensions will be broken.

 

What does it fixes ?

For instance, if you know that the Boostmyshop AdminLogger module is installed on this website : http://demo.boostmyshop.com/adminlogger/magento/index.php

You can then easily reach the magento admin login page using that url : http://demo.boostmyshop.com/adminlogger/magento/index.php/AdminLogger/Admin/Grid

 

What is the solution ?

Basically, the fix is to use the « admin » router keyword used in the magento admin urls (which it is strongly adviced to change when you install Magento).

A default magento installation login page is usually : www.website.com/admin
A more secure magento installation login page would be : www.website.com/MyVeryHardToKnowAdminRouterKeyword

In that second case, the module url is :
www.website.com/MyVeryHardToKnowAdminRouterKeyword/AdminLogger_Admin/Grid

Then, if the pirate doesnt know your admin router keyword, he can NOT be redirected to the login page.

 

How to fix a module ?

We will continue to take the AdminLogger module as an example and describe step by step the process to fix the module.

 

1- Change the module router

Edit file app/code/community/MDN/AdminLogger/etc/config.xml, and update code under nodes admin / routers

Before After
<AdminLogger>
    <use>admin</use>
    <args>
        <module>MDN_AdminLogger</module>
        <frontName>AdminLogger</frontName>
    </args>
</AdminLogger>
<adminhtml>
    <args>
    <modules>
        <AdminLogger before="Mage_Adminhtml">MDN_AdminLogger_Adminhtml</AdminLogger>
    </modules>
    </args>
</adminhtml>

 

2 – Move your controller

Due to this new configuration, you must move your admin controllers into an adminhtml directory :

Before After
File :
app/code/community/MDN/AdminLogger/controllers/AdminController.php

Class declaration :
class MDN_AdminLogger_AdminController extends Mage_Adminhtml_Controller_Action {

File :
app/code/community/MDN/AdminLogger/controllers/Adminhtml/AdminLogger/AdminController.php

Class declaration :
class MDN_AdminLogger_Adminhtml_AdminLogger_AdminController extends Mage_Adminhtml_Controller_Action {

 

3 – Change the module urls

Now, your module is part of the adminhtml router, so every time you want to build an url to reach your controller, you must add the adminhtml prefix.

You must change this in :
– Menu (config.xml & adminhtml.xml files)
– Mage::helper(‘Adminhtml’)->getUrl calls.
– addExportType calls
– controller redirects

For the admin logger module, we update the menu code into the config.xml file :

Before After
<adminlogger translate="title" module="AdminLogger">
    <title>Admin Logger</title>
    <action>AdminLogger/Admin/Grid</action>
    <sort_order>900</sort_order>
</adminlogger>
<adminlogger translate="title" module="AdminLogger">
    <title>Admin Logger</title>
    <action>adminhtml/AdminLogger_Admin/Grid</action>
    <sort_order>900</sort_order>
</adminlogger>

 
And for the urls generated in the code :

Before After
Mage::helper('adminhtml')->getUrl('AdminLogger/Admin/Prune');
Mage::helper('adminhtml')->getUrl('adminhtml/AdminLogger_Admin/Prune');

 

4 – Update module layout

If you stop there, when you’ll try to reach a module screen, you’ll get an empty screen with only the magento menu and footer : you must now update your layout to consider the new route :

Before After
    <adminlogger_admin_grid>
        <reference name="content">
            <block type="AdminLogger/Grid" template="AdminLogger/Grid.phtml">
            </block>
        </reference>
    </adminlogger_admin_grid>
    <adminhtml_adminlogger_admin_grid>
        <reference name="content">
            <block type="AdminLogger/Grid" template="AdminLogger/Grid.phtml">
            </block>
        </reference>
    </adminhtml_adminlogger_admin_grid>

 

Now you can test

Dont forget to refresh the magento caches (all) logout and login again from Magento : your module should be working fine now !



Want to say something ?