MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementaion of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.

What can be done to secure useful MAGMI tool?
 

Restrict access by IP-address

For Apache:

Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files:

Order deny,allow
Deny from all
Allow from <Your_IP>

 

For nginx:

Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only. Sample code to apply in nginx configuration file:

location /magmi/ {
  allow <your_ip>;
  deny all;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

 

Restrict access by additional password protection

Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.

For Apache:

Add the following lines on top of /magmi/.htaccess file:

AuthType Basic
AuthName "Restricted"
AuthUserFile /path/to/your/magento/var/.htpwd
Require valid-user

 

For Nginx:

Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file:

location /magmi/ {
  auth_basic           "Restricted";
  auth_basic_user_file /path/to/your/magento/var/.htpwd;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

 

MageHost’s Managed Magento Platform disables the default installations of Magmi due to the extremely severe security risks it poses. If you wish to utilise Magmi, it must be installed and secured properly before use. See our fully managed Magento hosting plans here or Contact Us for more details.

  •  
  •  
  •  
  •  
  •  
  •  

Exclusive Magento Tips

Join our mailing list to receive speed, security, & performance hacks.

You have Successfully Subscribed!