Magento 1.x Knowledge Base » Configuration » Securing MAGMI Data Import Tool
Published: October 18, 2015
Last updated:

Securing MAGMI Data Import Tool

MAGMI (Magento Mass Importer), popular Magento Data Import Tool, often is used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of this tool can be abused to gain full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.

What can be done to secure useful MAGMI tool?

There are several ways of restricting access to /magmi/ possible. You can select any way that suit your needs and qualification.

Move /magmi/ out when don’t need it

The most simple way that require absolutely no knowledge of webserver magic. Just navigate to your Magento root directory in your web-filemanager (FTP or SSH are also just fine) and move /magmi/ folder our or into another folder that is already protected, preferably renaming it. var/myhiddenmagmi folder should be just fine as a new name. When you need to import/export data through MagMI you just move it back.

Restrict access by IP-address

Apache2 with .htaccess enabled
Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccessfiles: 
Order deny,allow
Deny from all
Allow from 66.211.190.109
66.211.190.109 is your IP-address as detected by our server, make sure to add IP-addresses of another administrators, who use MagMI or external servers, that use import/export integration with your store.
nginx
Ask your hosting support or server admin to allow access to /magmi/ location for your IP-address (66.211.190.109) only. Sample code to apply in nginx configuration file can be like the following: 
location /magmi/ {
  allow 66.211.190.109;
  deny all;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

Restrict access by additional password protection

Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server or its safe online alternative for generation.
Apache2 with .htaccess enabled
Add the following lines on top of /magmi/.htaccess file: 
AuthType Basic
AuthName "Restricted"
AuthUserFile /full/path/to/your/magento/root/var/.htpwd
Require valid-user
nginx
Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file can be like the following: 
 location /magmi/ { 
   auth_basic           "Restricted"; 
   auth_basic_user_file /full/path/to/your/magento/root/var/.htpwd; 
   # other code, depending on your config and the way of passing requests to PHP
   # usually the same as for / location
 }

Posted in: Configuration

Related Posts

74 votes, 4.48 avg. rating (89% score)