MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementation of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.
/magmi/web/magmi.php
For Apache:
Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files
/magmi/.htaccess
/magmi/web/.htaccess
Order deny,allow Deny from all Allow from <Your_IP>
For nginx:
Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only.
Sample code to apply in nginx configuration file
allow <your_ip>; deny all; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location }
Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.
var/
var/.htpwd
htpasswd
Add the following lines on top of /magmi/.htaccess file
AuthType Basic AuthName "Restricted" AuthUserFile /path/to/your/magento/var/.htpwd Require valid-user
Ask your hosting support or server admin to allow access to /magmi/ location by password protection.
location /magmi/ {auth_basic "Restricted";auth_basic_user_file /path/to/your/magento/var/.htpwd;# other code, depending on your config and the way of passing requests to PHP# usually the same as for / location}
location /magmi/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/your/magento/var/.htpwd;
# other code, depending on your config and the way of passing requests to PHP
# usually the same as for / location
}
ServerGuy’s Managed Magento Platform disables the default installations of Magmi due to the extremely severe security risks it poses. If you wish to utilise Magmi, it must be installed and secured properly before use, Contact Us for more details.
+1.714.2425683
+91.9852704704