4

Can anyone tell me how I can change the path to the admin on SilverStripe 3.1.x? A site I built has a medium risk security issue outstanding from a security scan - apparently the path /admin is too easy to guess.

The recommendation is to:

Modify the link, name or location of the administrative login page so it cannot be easily identified/guessed by an unauthorized user. If only internal users require access, implement additional restrictions to restrict access from the Internet.

I found something for SilverStripe 2.x here: http://www.silverstripe.org/archive/show/3550 , but I need something similar for SilverStripe 3.1.x

F Merali
  • 13
  • 2
D-L
  • 255
  • 1
  • 15
  • well if you do in cms a $grep -lr 'admin' * _config/routes.yml code/controllers/AssetAdmin.php code/controllers/CMSMain.php code/controllers/ReportAdmin.php code/model/SiteTree.php code/model/VirtualPage.php code/reports/Report.php css/CMSMain.css css/screen.css javascript/AssetAdmin.js javascript/CMSPageHistoryController.js ... total of 86 hits if you count tests and lang. – munomono Jun 09 '14 at 22:05
  • Thanks, but then I'd be modifying the core codebase all over the place. Is there not a way to achieve this by adding config/routing options into a config file rather than hacking away at the core? – D-L Jun 09 '14 at 22:27

2 Answers2

4

Not fully test but adding those into your config.yml seem to do the trick:

Director:
  rules:
    'admin': ''
    'fancyLongAdminURL': 'AdminRootController'
AdminRootController:
  url_base: 'fancyLongAdminURL'
LeftAndMain:
  url_base: 'fancyLongAdminURL'

Only thing I can see not working is the myProfile link in the top left corner. But that's because the url is hard coded in the template LeftAndMain_Menu.ss, which you could create your own.

Edit: The above should work fine for the framework. For the CMS and other modules, this will have to be investigated and may need more classes/templates overrides, for example:

  • The CMS seems to have hardcoded admin url in Intall_deleteinstallfiles.ss, AssetAdmin.js, VirtualPage.php, SiteTree.php, AssetAdmin.php, routes.yml....
  • The Reports module have it hardcoded in Report.php

In those cases maybe a URLRewrite might be more convenient until this is implemented in the core.

Update: This has now been merged into the master branch so it should make its way into the next 4.0 release: https://github.com/silverstripe/silverstripe-framework/pull/3274

colymba
  • 2,644
  • 15
  • 15
  • colymba - thank you so much! You're a legend! That worked perfectly. I knew there had to be a simple way of doing this. – D-L Jun 10 '14 at 09:19
  • For the benefit of others looking to do the same thing, to change myProfile link, I copied LeftAndMain_Menu.ss from framework/admin/templates/Includes/LeftAndMain_Menu.ss to mysite/templates/Includes/LeftAndMain_Menu.ss and then I changed line 15 from to – D-L Jun 10 '14 at 10:33
  • I noticed that the links in the Reports section didn't update - they still have /admin in the links, but I'm guessing there must be another reason for that. – D-L Jun 10 '14 at 10:36
  • Updated the answer above, but in short, the CMS has quite a few instances or hardcoded admin URLs, same for the report module... – colymba Jun 10 '14 at 11:04
  • Thanks again, colymba. You Rock! – D-L Jun 10 '14 at 11:10
  • Just putting it out there: this **doesn't** hide the login page. That's still at `Security/login` and it's really easy to get the new login URL (in 3.1 at least). Just visit your-site.com/AdminRootController. –  Jun 10 '14 at 11:35
0

No, there isn't currently any mechanism for changing the admin path. If this is something you really think should be in core, you could consider raising an issue for it.

It's interesting that there is an issue with this. SilverStripe is used for a large number of Government websites and the website of a major bank, so it should have passed quite a few code audits in the past.

The best course of action would be to use .htaccess or similar method to restrict access to /admin to a whitelist of IP addresses. This is far more secure than simply changing the path - "security through obfuscation" is not true security.

F Merali
  • 13
  • 2
irogue
  • 81
  • 2
  • Thanks, irogue. I will be implementing IP restriction too - since they require this to be done also. – D-L Jun 10 '14 at 09:18