What is Exposed Admin Portal To Internet Vulnerability?

Administrator interfaces may be present in the application or on the application server to allow certain users to perform privileged site operations. Tests should be performed to determine whether and how an unauthorized or normal user may gain access to this privileged capability.

An administrator interface may be required for an application to allow a privileged user access to capabilities that may modify how the site runs. Among these modifications are:

user account provisioning
site design and layout
data manipulation
configuration changes

In many cases, such interfaces lack sufficient protections to prevent unwanted access. The goal of testing is to locate these administrator interfaces and get access to privileged user capabilities.

A more thorough examination of the server and application components should be performed to ensure hardening (e.g., administrator pages are not accessible to everyone via IP filtering or other controls) and, where applicable, verification that all components do not use default credentials or configurations. The source code should be checked to verify that the authorization and authentication model clearly separates roles between normal users and site administrators. User interface features shared by regular and administrator users should be evaluated to verify that there is a clear distinction between the drawing of such components and information leaking from such shared functionality.

Each web framework may have its own set of administrative default pages or paths. As an example,

WebSphere:

/admin
/admin-authz.xml
/admin.conf
/admin.passwd
/admin/*
/admin/logon.jsp
/admin/secure/logon.jsp

PHP:

/phpinfo
/phpmyadmin/
/phpMyAdmin/
/mysqladmin/
/MySQLadmin
/MySQLAdmin
/login.php
/logon.php
/xmlrpc.php
/dbadmin

FrontPage:

/admin.dll
/admin.exe
/administrators.pwd
/author.dll
/author.exe
/author.log
/authors.pwd
/cgi-bin

WebLogic:

/AdminCaptureRootCA
/AdminClients
/AdminConnections
/AdminEvents
/AdminJDBC
/AdminLicense
/AdminMain
/AdminProps
/AdminRealm
/AdminThreads

WordPress:

wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Related Posts

Leave a Comment Cancel Reply