Admin routing compatibility mode for extensions

magento.stackexchange https://magento.stackexchange.com/questions/96324

Question

If I enable Admin routing compatibility mode for extensions Magento states that security of the admin would be weaken.

http://prntscr.com/8z9rqx

Please could someone explain exactly how it would be weaken? I have an instance where I have 20+ extensions which need this enabled to trying to figure out exactly what the security risks are

Was it helpful?

Solution

The compatibility mode is related to APPSEC-1034, addressing bypassing custom admin URL

From the SUPEE-6788 patch detail page:

Admin Path Disclosure - APPSEC-1034

CVSSv3 Severity: 5.3 (Medium)

Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.

The best way is to update the extensions and disable compatibility mode:

1.) All reliable extension vendors updated their extensions so you just have to look for the latest releases.

2.) Update your own extensions with the information from the technical details page

See also here:

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top