Admin routing compatibility mode for extensions: Enable or Disable?
https://magento.stackexchange.com//questions/88435
-
13-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have just updatet my store to the latest Magento CE 1.9.2.2 software version (not the Patch SUPEE-6788, I did the full core update using the Magento Downloader).
After the update I went to
System > Configuration > Advanced > Admin > Security
and found the Admin routing compatibility mode for extensions option to be set to Enable.
However, just below the "Enable/Disable" selector there is a short description which says
Enabling this setting increases risk of automated attacks against admin functionality.
I wasn't sure if I should change this setting or not so I went to the Magento website and there it says
To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
The people over at Byte say
Finally, to increase security, disable the “compatibility mode” here:
System > Config > Admin > Security > Admin routing compatibility mode for extensions
And then they display a screen shot showing the option in Enable mode.
I find all of this very confusing so my question is what mode of this option offers most security?
Should the selector display "Enable" or "Disable" after saving the config?
Solution
I think it's pretty easy to lull yourself into a false sense of security whith this.
Admin routing compatibility mode for extensions: Enabled (=Default)
This is the default setting after applying the patch. Your extensions won't break with this setting. Security is limited though.
Admin routing compatibility mode for extensions: Disabled
Only with a disabled compatibility mode you are on the secure side. If all your extensions are updated to work with the new way of admin routing, don't forget to change this setting to "disabled".
OTHER TIPS
Admin Routing Compatibility mode works like Compatibility Mode in Internet Explorer.
It downgrades the application to function like an older version so the insecure modules will work.
When you have all your modules upgraded to work properly in the new security model, you will disable Admin Routing Compatibility mode to restrict access to the admin backend.
It's one of those Microsoft GPO things where yes means no.
Enabling this setting increases risk of automated attacks against admin functionality.
is the same thing as
NOTE: This patch is disabled by default.
In other words, Disabling what the patch does makes patched Magento able to run insecure modules by Enabling Admin Routing Compatibility.
