MAGMI (Magento Mass Importer), the popular Magento Data Import Tool, is often used without any protection in its default location (/magmi/web/magmi.php). Unsecure implementation of Magmi can give full access to a Magento installation, especially taking into account CVE-2014-8770 vulnerability and public exploits available.
What can be done to secure a useful MAGMI tool?
Restrict access by IP-address
For Apache:
Add the following lines on top of /magmi/.htaccess and /magmi/web/.htaccess files:
Order deny,allowDeny from allAllow from <Your_IP>
For nginx:
Ask your hosting support or server admin to allow access to /magmi/ location for your IP address only. Sample code to apply in nginx configuration file:
location /magmi/ { allow <your_ip>; deny all; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location}
Restrict access by additional password protection
Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server.
For Apache:
Add the following lines on top of /magmi/.htaccess file:
AuthType BasicAuthName "Restricted"AuthUserFile /path/to/your/magento/var/.htpwdRequire valid-user
For Nginx:
Ask your hosting support or server admin to allow access to /magmi/ location by password protection. Sample code to apply in nginx configuration file:
location /magmi/ { auth_basic "Restricted"; auth_basic_user_file /path/to/your/magento/var/.htpwd; # other code, depending on your config and the way of passing requests to PHP # usually the same as for / location}
Webscoot’s Managed Magento Platform disables the default installations of Magmi due to the extremely severe security risks it poses. If you wish to utilize Magmi, it must be installed and secured properly before use. See our fully managed Magento hosting plans here or Contact Us for more details.
He is the CEO and founder at MageHost. Sahil loves to solve problems and makes sure his clients have a speedy website. When not working hard on his Mac, he is seen traveling!
Everything is very open with a really clear description of the issues. It was really informative. Your website is very useful. Thanks for sharing.
I really like your writing style, superb information, thanks for putting up.
Hello. This article was really motivating, particularly because I was browsing for thoughts on this matter the last couple of days.