Magento Admin URL location disclosed

This article provides a patch for the Magento 2 security issue where the URL location of a Magento Admin panel can be disclosed. Knowing the URL location could make it easier to automate attacks.

Affected versions:

• Magento Commerce Cloud 2.X.X
• Magento Commerce 2.X.X
• Magento Open Source  2.X.X

Issue

An issue has been discovered in Magento Open Source and Magento Commerce that can be used to disclose the URL location of a Magento Admin panel. While there is currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks.

Solution 

To fix the issue, please apply the patch attached to this article. To download it, scroll down to the end of the article and click the file name, or click the following link:

• Download composer_2.1.17.patch - for versions 2.1.13-2.1.17, all editions.
• Download composer_2.2.8.patch - for versions 2.2.X, all editions.
• Download composer_2.3.1.patch - for versions 2.3.X, all editions.

Magento strongly recommends applying the patch as soon as possible, even if you have not experienced any symptoms of an attack.

How to apply the patch

We strongly recommend applying and testing the patch on your Staging/Integration environment, before applying it to your Production environment. We also recommend to have a recent backup at hand before making any manipulations.

How to apply this patch for Magento Commerce Cloud

1. If you do not have a directory named m2-hotfixes in the project root, please create one.
2. Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory.

3. Add, commit, and push your code changes:

   git add -A && git commit -m "Apply %patch_name%.composer.patch patch" && git push origin

How to apply this patch for Magento Commerce and Open Source

1. Upload the patch to your Magento root directory.
2. Run the following SSH command:

   patch -p1 < %patch_name%.composer.patch

   (If the above command does not work, try using -p2 instead of -p1)
3. For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.

Other security recommendations

Magento also strongly recommends that merchants deploy tools to secure their admin panel, including two-factor authentication, VPN, IP whitelisting, and more. For detailed information, see the following blogs and documentation:

• 5 Immediate Actions to Protect Against Brute Force Attacks
• Protect Your Magento Installation Password Guessing New Update
• Security Best Practices
• Adding and Configuring Two-Factor Authentication in Magento for  2.1.x,  2.2.x, and  2.3.x

Attached files