Bug type: Information Leakage
SUPEE-6788 Magento Patch Release Notes
SUPEE-6788 Magento Patch Technical Details
Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.
Text below is from Magento: SUPEE-6788 Technical Details. Without these changes, stores are forced to disable the security feature provided by this Magento patch.
Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)
Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.
For example the following config.xml file for a module:
<admin>
<routers>
<custom_module>
<use>admin</use>
<args>
<module>custom_module</module>
<frontName>custom_module</frontName>
</args>
</custom_module>
</routers>
</admin>
Should be changed to:
<admin>
<routers>
<adminhtml>
<args>
<modules>
<custom_module after="Mage_Adminhtml">CustomModule_Adminhtml</custom_module>
</modules>
</args>
</adminhtml>
</routers>
</admin>
Bug type: Information Leakage
SUPEE-6788 Magento Patch Release Notes
SUPEE-6788 Magento Patch Technical Details
Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.
Text below is from Magento: SUPEE-6788 Technical Details. Without these changes, stores are forced to disable the security feature provided by this Magento patch.
Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)
Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.
For example the following config.xml file for a module:
Should be changed to: