/magmi/web/magmi.php
). Unsecure implementaion of this tool can be abused to gain full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.
What can be done to secure useful MAGMI tool?
There are several ways of restricting access to /magmi/ possible. You can select any way that suit your needs and qualification.Move /magmi/ out when don’t need it
The most simple way that require absolutely no knowledge of webserver magic. Just navigate to your Magento root directory in your web-filemanager (FTP or SSH are also just fine) and move/magmi/
folder our or into another folder that is already protected, preferably renaming it. var/myhiddenmagmi
folder should be just fine as a new name. When you need to import/export data through MagMI you just move it back.
Restrict access by IP-address
Apache2 with .htaccess enabled
Add the following lines on top of/magmi/.htaccess
and /magmi/web/.htaccess
files:
Order deny,allow Deny from all Allow from 66.211.190.10966.211.190.109 is your IP-address as detected by our server, make sure to add IP-addresses of another administrators, who use MagMI or external servers, that use import/export integration with your store.
nginx
Ask your hosting support or server admin to allow access to /magmi/ location for your IP-address (66.211.190.109) only. Sample code to apply in nginx configuration file can be like the following:location /magmi/ { allow 66.211.190.109; deny all; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location }
Restrict access by additional password protection
Create password protection file undervar/
directory, i.e. var/.htpwd
. Use htpasswd
command on your server or its safe online alternative for generation.
Apache2 with .htaccess enabled
Add the following lines on top of/magmi/.htaccess
file:
AuthType Basic AuthName "Restricted" AuthUserFile /full/path/to/your/magento/root/var/.htpwd Require valid-user
nginx
Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file can be like the following:location /magmi/ { auth_basic "Restricted"; auth_basic_user_file /full/path/to/your/magento/root/var/.htpwd; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location }
Posted in: Configuration