Magento's X-Original-Url header can expose admin url

Vulnerability

Overview

Magento-lts, a long-term support alternative to Magento Community Edition, contains an information disclosure vulnerability in versions prior to 20.16.1. The bug arises from the processing of the X-Original-Url header by the Zend framework library, which can inadvertently reveal the admin URL on certain web server configurations. An attacker sends a crafted request with this header, and due to improper sanitization, the server may respond with the admin path in the response headers or error messages, allowing discovery of a normally hidden URL. [1][3]

Exploitation

No authentication is required; any publicly accessible Magento-lts instance using affected configurations is vulnerable. The attack surface is broad, as the X-Original-Url header is commonly used by proxies and load balancers. With a simple HTTP request, an attacker can trigger the disclosure without prior knowledge of the admin location. [1][3]

Impact

Knowing the admin URL significantly lowers the barrier for further attacks. Attackers can attempt to brute-force credentials or exploit other vulnerabilities specifically targeting the admin panel. This could lead to full administrative control over the Magento-lts installation, resulting in data breaches, defacement, or supply chain attacks. [1][3]

Mitigation

The vulnerability is patched in Magento-lts versions 20.16.1 and 20.17.0. The fix unsets the X-Original-Url header in the bootstrap process. As a workaround, administrators can configure their web server to strip or ignore the X-Original-Url header. Users are strongly advised to upgrade to the latest patched version immediately. [3]