Recommended method to protect /downloader?

Question

Since Magento uses the /downloader as a way to conveniently install programs via Magento Connect Manager it is apparent that this is also a security concern since it allows the possibility for bots or people to attempt to learn credentials for the installation.

Checking access logs to my website, I was alarmed at the amount of attempts to the www.mysite.com/downloader

As a work around I've gotten into the habit of renaming the downloader directory to downloader.offline but occasionally I forget. (Either to rename it back to install a program or after I'm done).

What is the recommended method to protect this link?

Fabian Blechschmidt · Accepted Answer · 2015-11-17T15:24:05.337

37

Just put a .htaccess (or if nginx/whatever a config) into the downloader directory with Disallow from all in it to forbid any request on the directory.

If you wanted to allow a few IP addresses in (like your own), try something like this in your .htaccess

order deny,allow
deny from all
allow from 1.2.3.4 5.6.7.8

Where 1.2.3.4 and 5.6.7.8 are IP addresses you want to let through.

My prefered way: Just delete downloader

edited Nov 17 '15 at 15:24

answered Mar 10 '14 at 12:33

Fabian Blechschmidt

35,388
8
75
182

Would that prevent myself from accessing? – SR_Magento Mar 10 '14 at 12:34
1

Sure, no one can access it then. Is Magento connect in this path? Then you need to Allow from or use authorization – Fabian Blechschmidt Mar 10 '14 at 13:14
7

Or better yet, don't use the downloader at all. – Daniel Sloof Mar 10 '14 at 13:16
3

Of course! Magento connect doesn't allow reliable reproduction of the system's status and using a version control system. I recommend to use modman or better composer! – Fabian Blechschmidt Mar 10 '14 at 13:18
1

Composer FTW - Fabian's dead on here. – Bryan 'BJ' Hoffpauir Jr. Jul 01 '15 at 00:21
Restricting access to the /downloader directory prevents back office orders from being raised (with Sagepay Pro extension at least) and causes an issue with the Sagepay redirection URL for some reason. – zigojacko Nov 05 '15 at 11:38
1

download is the magento connect directory. If this makes problems this extension seems to be very broken? – Fabian Blechschmidt Nov 05 '15 at 18:41
1

Yes, you're telling me Fabian :/ Wouldn't be the first time we come across absurd code in 3rd party extensions. – zigojacko Feb 05 '16 at 14:20

score 17 · Answer 2 · answered Mar 10 '14 at 14:15

17

Along with @daniel-sloof's recommendation I would say to ditch the Magento Connect installer altogether. I generally add it to .gitignore when setting up a new repository.

The reason being, as Fabian points out in his answer comments, that there is no way to ensure the replication of your production environment in source control without committing the packages from Connect. The feature you'll be losing here is the ability to update/upgrade packages from Connect - but if you really need that functionality you can always do it locally on your dev box and commit the results when you're satisfied that they work.

tl;dr:

Delete the /downloader folder or remove it from your source control.

answered Mar 10 '14 at 14:15

philwinkle

35,751
5
91
145

1

Kind of annoying though, not having access to ./mage any more. I assume the ./mage install CLI command is just a wrapper for Magento Connect. edit: Actually I can just use magerun extension:install :) – Erfan Apr 09 '15 at 01:52
:/ N98-Magerun is also a wrapper for downloader/mage.php. I guess you could just copy /downloader to your local dev environment if you need to install something – Erfan Apr 09 '15 at 02:19
For some reason, I only ever find myself running ./mage as a file downloader on my development server anymore. It's only reason for existence on live environments is patch dependencies anymore. – Fiasco Labs Nov 17 '15 at 16:10

score 6 · Answer 3 · answered Jan 21 '16 at 10:56

6

I usually delete the downloader directory, but also found the following directive in the root htaccess helpful:

RewriteRule ^downloader/ - [L,R=404]

Which will make Apache send a 404 response even if the downloader directory is present.

answered Jan 21 '16 at 10:56

Fabian Schmengler

65,791
25
187
421

I like this method too – SR_Magento Jan 21 '16 at 11:09
1

Doesn't work for all downloader requests. try www.mysite.com/index.php/myadminurl/index/downloader – David Wilkins Mar 02 '16 at 19:44
Although, the method in my other comment isn't really accessing the downloader, it's just a shortcut (longcut?) to the admin login. Someone would have to know your adminurl for this to work. if you haven't patched the adminurl disclosure vulnerability, it is likely for someone to obtain it. – David Wilkins Mar 02 '16 at 20:04
worked for me too. Perfection – sandip Dec 26 '16 at 06:57

score 5 · Answer 4 · answered Dec 25 '16 at 10:40

5

what about renaming the downloader folder? In case of need can easily be renamed back to "downloader", doing update and install as needed, and then changing it again. It seems to work for me.

answered Dec 25 '16 at 10:40

dadda

51
1
1

score 1 · Answer 5 · answered Sep 30 '20 at 14:29

rm -rf downloader/

https://www.zdnet.com/article/magento-online-stores-hacked-in-largest-campaign-to-date/

OpenMage LTS also removed it a while ago https://github.com/OpenMage/magento-lts/commit/c02c9ed53b990a7549a89c03346d755aa11e263e

Use OpenMage LTS to be as secure 'as possible' https://github.com/OpenMage/magento-lts/commit/c02c9ed53b990a7549a89c03346d755aa11e263e

To block the downloader application, add the following rule to your nginx.conf file:

location ~ ^/downloader/ {
    allow xx.xx.xx.xx;
    deny all;
}

Recommended method to protect /downloader?

5 Answers5

Linked

Related