What is Exposed Admin Portal To Internet Vulnerability?

Administrator interfaces may be present in the application or on the application server to allow certain users to perform privileged site operations. Tests should be performed to determine whether and how an unauthorized or normal user may gain access to this privileged capability.

An administrator interface may be required for an application to allow a privileged user access to capabilities that may modify how the site runs. Among these modifications are:

  • user account provisioning
  • site design and layout
  • data manipulation
  • configuration changes

In many cases, such interfaces lack sufficient protections to prevent unwanted access. The goal of testing is to locate these administrator interfaces and get access to privileged user capabilities.

A more thorough examination of the server and application components should be performed to ensure hardening (e.g., administrator pages are not accessible to everyone via IP filtering or other controls) and, where applicable, verification that all components do not use default credentials or configurations. The source code should be checked to verify that the authorization and authentication model clearly separates roles between normal users and site administrators. User interface features shared by regular and administrator users should be evaluated to verify that there is a clear distinction between the drawing of such components and information leaking from such shared functionality.

Each web framework may have its own set of administrative default pages or paths. As an example,

WebSphere:

/admin
/admin-authz.xml
/admin.conf
/admin.passwd
/admin/*
/admin/logon.jsp
/admin/secure/logon.jsp

PHP:

/phpinfo
/phpmyadmin/
/phpMyAdmin/
/mysqladmin/
/MySQLadmin
/MySQLAdmin
/login.php
/logon.php
/xmlrpc.php
/dbadmin

FrontPage:

/admin.dll
/admin.exe
/administrators.pwd
/author.dll
/author.exe
/author.log
/authors.pwd
/cgi-bin

WebLogic:

/AdminCaptureRootCA
/AdminClients
/AdminConnections
/AdminEvents
/AdminJDBC
/AdminLicense
/AdminMain
/AdminProps
/AdminRealm
/AdminThreads

WordPress:

wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top