[BlueOnyx:05462] Re: Dealing with /admin URL 'hijacking

Jeff Jones jeffrhysjones at mac.com
Sat Sep 25 09:34:17 -05 2010 

Mura.

http://www.getmura.com/

Runs CFML - we use Resin / Railo on BX to do this.

Cheers,

Jeff

On 25 Sep 2010, at 15:23, Abdul Rashid Abdullah wrote:

> What's the CMS?
> 
> 
> On 9/25/10 7:01 AM, "Jeff Jones" <jeffrhysjones at mac.com> wrote:
> 
>> Yes - but alas - this *particular* CMS - it does not make it easy for you -
>> you have to modify something like 20 files, it's a real pain. Changing the CMS
>> is not an option either - we love it!
>> 
>> I have put in a number of requests to the developers - asking if there is an
>> easier way, but nothing back yet.
>> 
>> So in my case, I like to take the path of least resistance - edit the BX
>> config file!
>> 
>> Cheers,
>> 
>> Jeff
>> 
>> On 25 Sep 2010, at 14:47, Abdul Rashid Abdullah wrote:
>> 
>>> Stephanie hit the nose on the target.  I would prefer to modify the CMS
>>> rather than BlueOnyx.  When you migrate to a new system, you will deal with
>>> the issue all over again.  It is best to change it upfront.
>>> 
>>> PLUS I am not sure who said something about BlueOnyx security and they
>>> deleted it for that reason but I would say that it is FAR better to rename
>>> the admin of a CMS as there is by far a higher likelihood of an exploit on
>>> the CMS than on BlueOnyx coming into play.  Zen Cart as an example EXPLICTLY
>>> encourages all of the users to rename to something unique and specifically
>>> warns you if I am remembering correctly if you don't do it.  It is one of
>>> their counter measures for not getting hacked.
>>> 
>>> Regards,
>>> 
>>> Rashid
>>> 
>>> 
>>> On 9/24/10 7:08 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:
>>> 
>>>> Jeff,
>>>> 
>>>> I've yet to meet a decent CMS or shopping cart that does not allow (most
>>>> even encourage) changing the default path to the admin section of the code.
>>>> Usually there is some configuration file which carries the base path for the
>>>> CMS so it can readily be something other than "/admin". I hope this applied
>>>> to this hereto fore unnamed CMS.
>>>> 
>>>> Thanks,
>>>> -Stephnaie
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
>>>>> bounces at blueonyx.it] On Behalf Of Jeff Jones
>>>>> Sent: Thursday, September 23, 2010 10:23 AM
>>>>> To: BlueOnyx General Mailing List
>>>>> Subject: [BlueOnyx:05453] Re: Dealing with /admin URL 'hijacking
>>>>> 
>>>>> Yes - I can get to the CMS using the absolute path - the only problem
>>>>> is that with this particular CMS - it makes calls to /admin in the
>>>>> GUI - and this then redirects back to the BX Admin!
>>>>> 
>>>>> So the silver bullet is to either remove or rename the admin
>>>>> redirect..
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Jeff
>>>>> 
>>>>> On 23 Sep 2010, at 15:12, Klein Joachim wrote:
>>>>> 
>>>>>> Am 23.09.2010 15:55, schrieb Chris Gebhardt - VIRTBIZ Internet:
>>>>>>> Jeff Jones wrote:
>>>>>>>> Hi guys,
>>>>>>>> 
>>>>>>>> We have a web CMS on a BX box that has a url /admin and
>>>>> unfortunately it does not appear easy to change this admin URL much
>>>>> to my disgust.
>>>>>>>> 
>>>>>>>> I think I have seen some posts around - but I am not sure if
>>>>> anyone managed to find an easy way to change the BX /admin url to
>>>>> something a little less easier to guess.
>>>>>>> Something that you try in order to avoid tinkering would be to use
>>>>> the
>>>>>>> page name in the URL of the CMS admin, likely "index.php".  So
>>>>> instead
>>>>>>> of going to www.domain.tld/admin go to
>>>>> www.domain.tld/admin/index.php
>>>>>>> and I bet your CMS management page pops up.
>>>>>>> 
>>>>>> Hy Chris!
>>>>>> 
>>>>>> That´s right - but tell this the customer.
>>>>>> I´m using also only the /admin-part and not the complete one.
>>>>>> I had a customer who called me with exact this problem.
>>>>>> 
>>>>>> Customer: "I have installed a CMS on the webspace but my password
>>>>>> wouldn´t accepted"
>>>>>> Support worked a long time to find out that the user was trying to
>>>>> login
>>>>>> to the Blueonyx-Admin and
>>>>>> not the CMS of the User.
>>>>>> The Install wasn´t the problem because the directory was /install,
>>>>> but
>>>>>> then the Admin was /admin.
>>>>>> And if you have some customer without too much technical knowhow
>>>>> then
>>>>>> you get silly.
>>>>>> 
>>>>>> That´s the reason why I have deleted all the /admin-Redirects.
>>>>>> Joachim
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Blueonyx mailing list
>>>>>> Blueonyx at blueonyx.it
>>>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Blueonyx mailing list
>>>>> Blueonyx at blueonyx.it
>>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Blueonyx mailing list
>>>> Blueonyx at blueonyx.it
>>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Blueonyx mailing list
>>> Blueonyx at blueonyx.it
>>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>> 
>> 
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at blueonyx.it
>> http://www.blueonyx.it/mailman/listinfo/blueonyx
>> 
>> 
> 
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list