MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementation of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.
What can be done to secure useful MAGMI tool?
Restrict access by IP-address
For Apache:
Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files
Order deny,allow
Deny from all
Allow from <Your_IP>For nginx:
Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only.
Sample code to apply in nginx configuration file
allow <your_ip>;
deny all;
# other code, depending on your config and the way of passing requests to PHP
# usually the same as for / location
}Restrict access by additional password protection
Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.
For Apache:
Add the following lines on top of /magmi/.htaccess file
AuthType Basic
AuthName "Restricted"
AuthUserFile /path/to/your/magento/var/.htpwd
Require valid-userFor Nginx:
Ask your hosting support or server admin to allow access to /magmi/ location by password protection.
Sample code to apply in nginx configuration file
location /magmi/ {auth_basic "Restricted";auth_basic_user_file /path/to/your/magento/var/.htpwd;# other code, depending on your config and the way of passing requests to PHP# usually the same as for / location}
ServerGuy’s Managed Magento Platform disables the default installations of Magmi due to the extremely severe security risks it poses. If you wish to utilise Magmi, it must be installed and secured properly before use, Contact Us for more details.
