-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Magento Version exposure via Setup route with default Nginx Configuration #39227
Comments
Hi @SamJUK. Thank you for your report.
Join Magento Community Engineering Slack and ask your questions in #github channel. |
Hi @engcom-Bravo. Thank you for working on this issue.
|
Hi @SamJUK, Thanks for your reporting and collaboration. We have verified the issue in Latest 2.4-develop instance and the issue is reproducible.Kindly refer the screenshots. We see a lovely page telling us exactly the Magento version. Hence Confirming the issue. Thanks. |
✅ Jira issue https://jira.corp.adobe.com/browse/AC-13205 is successfully created for this GitHub issue. |
✅ Confirmed by @engcom-Bravo. Thank you for verifying the issue. |
For those who are exposed by an apache configuration on a server and don't want to fiddle with the code, a quick solution can be to modify
This way access to setup will be forbidden by direct request when in production server. |
@Serfe-com Thanks for that, should cover Apache servers well. As far as I am aware, Nginx wont read Nginx Configuration location ~* ^/setup($|/) {
root $MAGE_ROOT;
location ~ ^/setup/index.php {
+ deny all;
fastcgi_pass fastcgi_backend;
fastcgi_param PHP_FLAG "session.auto_start=off \n suhosin.session.cryptua=off"; Application Level--- setup/view/magento/setup/index.phtml
+++ setup/view/magento/setup/index.phtml
@@ -10,7 +10,6 @@
<main class="page-content">
<section data-section="landing" class="page-landing">
<img class="logo" src="<?= $this->basePath() ?>/pub/images/magento-logo.svg" alt="Magento"/>
- <p class="text-version">Version <?= htmlspecialchars($this->version, ENT_COMPAT) ?></p>
<p class="text-welcome">
Welcome to Magento Admin, your online store headquarters.
<br>
|
Preconditions and environment
Any Version of Magento using the Nginx sample config
Steps to reproduce
Navigate to
https://site.com/setup/
Expected result
Return a 401/403 error, or at very minimum do not expose the exact version of Magento the site is running.
Actual result
We see a lovely page telling us exactly the Magento version is
Additional information
I believe in 2.4, the web based setup was removed. Although the page is still accessible displaying the Magento Version.
Typically those using the default Nginx configuration are less technical / security focused. And they trust the default provided Nginx configure is secure by default. I would argue exposing the exact Magento package version provides no benefit whilst telling potential bad actors exactly what exploits to attempt or search for.
Release note
No response
Triage and priority
The text was updated successfully, but these errors were encountered: