OCT 18 2015

Securing MAGMI Data Import Tool

Tags:

MAGMI (Magento Mass Importer), popular Magento Data Import Tool, often is used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of this tool can be abused to gain full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.

What can be done to secure useful MAGMI tool?

There are several ways of restricting access to /magmi/ possible. You can select any way that suit your needs and qualification.

Move /magmi/ out when don’t need it

The most simple way that require absolutely no knowledge of webserver magic. Just navigate to your Magento root directory in your web-filemanager (FTP or SSH are also just fine) and move /magmi/ folder our or into another folder that is already protected, preferably renaming it. var/myhiddenmagmi folder should be just fine as a new name. When you need to import/export data through MagMI you just move it back.

Restrict access by IP-address

Apache2 with .htaccess enabled

Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccessfiles:

Order deny,allow
Deny from all
Allow from 54.145.101.33

54.145.101.33 is your IP-address as detected by our server, make sure to add IP-addresses of another administrators, who use MagMI or external servers, that use import/export integration with your store.

nginx

Ask your hosting support or server admin to allow access to /magmi/ location for your IP-address (54.145.101.33) only. Sample code to apply in nginx configuration file can be like the following:

location /magmi/ {
  allow 54.145.101.33;
  deny all;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

Restrict access by additional password protection

Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server or its safe online alternative for generation.

Apache2 with .htaccess enabled

Add the following lines on top of /magmi/.htaccess file:

AuthType Basic
AuthName "Restricted"
AuthUserFile /full/path/to/your/magento/root/var/.htpwd
Require valid-user
nginx

Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file can be like the following:

 location /magmi/ { 
   auth_basic           "Restricted"; 
   auth_basic_user_file /full/path/to/your/magento/root/var/.htpwd; 
   # other code, depending on your config and the way of passing requests to PHP
   # usually the same as for / location
 }

Posted in: Configuration

Securing MAGMI Data Import Tool
28 votes, 4.62 avg. rating (92% score)