[BlueOnyx:05463] Re: Dealing with /admin URL 'hijacking
Abdul Rashid Abdullah
webmaster at muntada.com
Sat Sep 25 09:54:40 -05 2010
Jeff
Thanks!
On 9/25/10 7:34 AM, "Jeff Jones" <jeffrhysjones at mac.com> wrote:
> Mura.
>
> http://www.getmura.com/
>
> Runs CFML - we use Resin / Railo on BX to do this.
>
> Cheers,
>
> Jeff
>
> On 25 Sep 2010, at 15:23, Abdul Rashid Abdullah wrote:
>
>> What's the CMS?
>>
>>
>> On 9/25/10 7:01 AM, "Jeff Jones" <jeffrhysjones at mac.com> wrote:
>>
>>> Yes - but alas - this *particular* CMS - it does not make it easy for you -
>>> you have to modify something like 20 files, it's a real pain. Changing the
>>> CMS
>>> is not an option either - we love it!
>>>
>>> I have put in a number of requests to the developers - asking if there is an
>>> easier way, but nothing back yet.
>>>
>>> So in my case, I like to take the path of least resistance - edit the BX
>>> config file!
>>>
>>> Cheers,
>>>
>>> Jeff
>>>
>>> On 25 Sep 2010, at 14:47, Abdul Rashid Abdullah wrote:
>>>
>>>> Stephanie hit the nose on the target. I would prefer to modify the CMS
>>>> rather than BlueOnyx. When you migrate to a new system, you will deal with
>>>> the issue all over again. It is best to change it upfront.
>>>>
>>>> PLUS I am not sure who said something about BlueOnyx security and they
>>>> deleted it for that reason but I would say that it is FAR better to rename
>>>> the admin of a CMS as there is by far a higher likelihood of an exploit on
>>>> the CMS than on BlueOnyx coming into play. Zen Cart as an example
>>>> EXPLICTLY
>>>> encourages all of the users to rename to something unique and specifically
>>>> warns you if I am remembering correctly if you don't do it. It is one of
>>>> their counter measures for not getting hacked.
>>>>
>>>> Regards,
>>>>
>>>> Rashid
>>>>
>>>>
>>>> On 9/24/10 7:08 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:
>>>>
>>>>> Jeff,
>>>>>
>>>>> I've yet to meet a decent CMS or shopping cart that does not allow (most
>>>>> even encourage) changing the default path to the admin section of the
>>>>> code.
>>>>> Usually there is some configuration file which carries the base path for
>>>>> the
>>>>> CMS so it can readily be something other than "/admin". I hope this
>>>>> applied
>>>>> to this hereto fore unnamed CMS.
>>>>>
>>>>> Thanks,
>>>>> -Stephnaie
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
>>>>>> bounces at blueonyx.it] On Behalf Of Jeff Jones
>>>>>> Sent: Thursday, September 23, 2010 10:23 AM
>>>>>> To: BlueOnyx General Mailing List
>>>>>> Subject: [BlueOnyx:05453] Re: Dealing with /admin URL 'hijacking
>>>>>>
>>>>>> Yes - I can get to the CMS using the absolute path - the only problem
>>>>>> is that with this particular CMS - it makes calls to /admin in the
>>>>>> GUI - and this then redirects back to the BX Admin!
>>>>>>
>>>>>> So the silver bullet is to either remove or rename the admin
>>>>>> redirect..
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> On 23 Sep 2010, at 15:12, Klein Joachim wrote:
>>>>>>
>>>>>>> Am 23.09.2010 15:55, schrieb Chris Gebhardt - VIRTBIZ Internet:
>>>>>>>> Jeff Jones wrote:
>>>>>>>>> Hi guys,
>>>>>>>>>
>>>>>>>>> We have a web CMS on a BX box that has a url /admin and
>>>>>> unfortunately it does not appear easy to change this admin URL much
>>>>>> to my disgust.
>>>>>>>>>
>>>>>>>>> I think I have seen some posts around - but I am not sure if
>>>>>> anyone managed to find an easy way to change the BX /admin url to
>>>>>> something a little less easier to guess.
>>>>>>>> Something that you try in order to avoid tinkering would be to use
>>>>>> the
>>>>>>>> page name in the URL of the CMS admin, likely "index.php". So
>>>>>> instead
>>>>>>>> of going to www.domain.tld/admin go to
>>>>>> www.domain.tld/admin/index.php
>>>>>>>> and I bet your CMS management page pops up.
>>>>>>>>
>>>>>>> Hy Chris!
>>>>>>>
>>>>>>> That´s right - but tell this the customer.
>>>>>>> I´m using also only the /admin-part and not the complete one.
>>>>>>> I had a customer who called me with exact this problem.
>>>>>>>
>>>>>>> Customer: "I have installed a CMS on the webspace but my password
>>>>>>> wouldn´t accepted"
>>>>>>> Support worked a long time to find out that the user was trying to
>>>>>> login
>>>>>>> to the Blueonyx-Admin and
>>>>>>> not the CMS of the User.
>>>>>>> The Install wasn´t the problem because the directory was /install,
>>>>>> but
>>>>>>> then the Admin was /admin.
>>>>>>> And if you have some customer without too much technical knowhow
>>>>>> then
>>>>>>> you get silly.
>>>>>>>
>>>>>>> That´s the reason why I have deleted all the /admin-Redirects.
>>>>>>> Joachim
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Blueonyx mailing list
>>>>>>> Blueonyx at blueonyx.it
>>>>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Blueonyx mailing list
>>>>>> Blueonyx at blueonyx.it
>>>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Blueonyx mailing list
>>>>> Blueonyx at blueonyx.it
>>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Blueonyx mailing list
>>>> Blueonyx at blueonyx.it
>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>
>>>
>>> _______________________________________________
>>> Blueonyx mailing list
>>> Blueonyx at blueonyx.it
>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at blueonyx.it
>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
>
More information about the Blueonyx
mailing list