Magento RSS Brute Force

chris .

Creativemgroup, a Magento specialist agency who work with a number of our Magento clients, have discovered a new threat to Magento stores which includes Magento 1 and 2.

By exploiting the inbuilt RSS feed functionality, it’s possible for a brute force to be passed through to the Magento Admin login. Over 30 days they recorded 128,500 attempts to gain access to one site through this vulnerability, and the rules below blocked them all. The brute force is not only a security issue, the load that gets put on the server as a result can cause site disruptions.

They, and we, recommend popping the following rules into your htaccess, or NGINX config if you’re not using the RSS functionality:

Apache/htaccess

For Apache just deny access to the admin RSS’s entirely.

RewriteCond %{REQUEST_URI} ^.*/RSS/CATALOG [OR,NC]
RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

NGINX

location ~* /rss/order/new {
        return 403;
    }
    location ~* /rss/catalog/notifystock {
        return 403;
    }
    location ~* /rss/catalog/review {
        return 403;
    }
×