MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.
What can be done to secure useful MAGMI tool?
Restrict access by IP-address
For Apache:
Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files:
Order deny,allowDeny from allAllow from <Your_IP>
For nginx:
Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only. Sample code to apply in nginx configuration file:
location /magmi/ { allow <your_ip>; deny all; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location}
Restrict access by additional password protection
Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.
For Apache:
Add the following lines on top of /magmi/.htaccess file:
AuthType BasicAuthName "Restricted"AuthUserFile /path/to/your/magento/var/.htpwdRequire valid-user
For Nginx:
Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file:
location /magmi/ { auth_basic "Restricted"; auth_basic_user_file /path/to/your/magento/var/.htpwd; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location}