Is _admin_access.php A Security Risk? Options

[bilbo--baggins]

I just found a file in my root directory called _admin_access.php which seems to allow access to the admin area without a password. Is this file a security risk, or is it there to specifically allow Avactis Support to get into the admin area?

I've temporarily removed this file until someone can assure me it's meant to be there!

The strange thing is that it's not in my test server.

[mikemar921]

Hi bilbo--baggins,

Where was that file located in your store? I just took a quick glance through the server for my installation of 1.8.2., and I did not see it listed.

Also, what was the original version that you installed (did you install 1.6 and upgrade over the years)? I am just wondering if this file is left over from previous versions, and that it might have been required in those previous versions, and not required for the most recent version 1.8.2.

Thanks
Mike

[bilbo--baggins]

1.8.2 was the first version that I installed. I'm not sure if the file is normally invisible, but I set my ftp client to show invisible files so that I could access .htaccess. It was in the root of the web folder.

I had a reply from Support saying it's used by them during debugging (they're currently trying to resolve issues with Maestro card payments via PayPal Website Payments Pro UK) and should not be a security risk because 1) it's limited to allowing entry by specific IP addresses and 2) they remove it when they're finished.

[dvector]

That would be a useful file to have, I'm working on an admin addon but haven't figured out how to combine logons, any chance you could make that file available? :-)

[David Frost]

Hi Everyone,

As said by Bilbo, the file is safe, works only for a few our IP addresses (so the rest of the world can't use it), and deletes itself from server.

It's not a security risk.

@DVector Please write to us what you're trying to achieve, we'll advise on the best way to do it.