Описание
Magento's X-Original-Url header can expose admin url
Impact
The admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations.
Patches
The bug comes from the Zend library.
Workarounds
Unset the X-Original-Url header in the web server configuration.
Resources
https://hackerone.com/bugs?subject=openmage&report_id=3416312
Upon deeper investigation, it was initially not found, but then it was realized that the search excluded the vendor/ directory. This is coming from the Zend_Controller module. Here is another tip from 2016 - it is surprising that this was not somehow patched already!
https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)
Credit
Anees Hyder (anees0x_dev) on HackerOne https://hackerone.com/anees0x_dev/hacktivity?type=user
Пакеты
openmage/magento-lts
< 20.16.1
20.16.1
Связанные уязвимости
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.