Administrator interfaces may be present in the application or on the application server to allow certain users to perform privileged site operations. Tests should be performed to determine whether and how an unauthorized or normal user may gain access to this privileged capability.
An administrator interface may be required for an application to allow a privileged user access to capabilities that may modify how the site runs. Among these modifications are:
- user account provisioning
- site design and layout
- data manipulation
- configuration changes
In many cases, such interfaces lack sufficient protections to prevent unwanted access. The goal of testing is to locate these administrator interfaces and get access to privileged user capabilities.
A more thorough examination of the server and application components should be performed to ensure hardening (e.g., administrator pages are not accessible to everyone via IP filtering or other controls) and, where applicable, verification that all components do not use default credentials or configurations. The source code should be checked to verify that the authorization and authentication model clearly separates roles between normal users and site administrators. User interface features shared by regular and administrator users should be evaluated to verify that there is a clear distinction between the drawing of such components and information leaking from such shared functionality.
Each web framework may have its own set of administrative default pages or paths. As an example,
WebSphere:
/admin
/admin-authz.xml
/admin.conf
/admin.passwd
/admin/*
/admin/logon.jsp
/admin/secure/logon.jsp
PHP:
/phpinfo
/phpmyadmin/
/phpMyAdmin/
/mysqladmin/
/MySQLadmin
/MySQLAdmin
/login.php
/logon.php
/xmlrpc.php
/dbadmin
FrontPage:
/admin.dll
/admin.exe
/administrators.pwd
/author.dll
/author.exe
/author.log
/authors.pwd
/cgi-bin
WebLogic:
/AdminCaptureRootCA
/AdminClients
/AdminConnections
/AdminEvents
/AdminJDBC
/AdminLicense
/AdminMain
/AdminProps
/AdminRealm
/AdminThreads
WordPress:
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.