The most important item and the first thing hackers will check on your Magento site is which security patches are installed on your site. More important to them are the security patches that are missing or not patched on your site. Using that information they can tell several of the following:
- Admin Path Disclosure
- Customer Data Leaks
- SSRF API Vulnerability
- Admin Routing
- Ability for Remote Code Execution
A public admin login is vulnerable to exploits (like Shoplift) and brute force attacks. Magento owners should rename these paths to something unguessable, use IP protection, and/or use two factor authentication. The default /admin path is an easy guess for hackers to access your admin panel login screen. From there they can launch there brute force attacks. As mentioned in the last section, if you are missing patches they can also utilize exploits to reveal your admin panel url.
Log files can contain information about your server, your passwords, and customer’s information. These should not be public on the internet. Most developers and Magento website owners forget to protect the default log folders from being accessible via public urls. Many times the var/report folder is exposed and not protected.
An exposed version control system contains the source code to your application. This sensitive information should not be available to the public. If your using GIT to maintain your code base then its also possible that you are your developer did not remove .git folders or .gitignore files from your public domains. This is a risk to your site because if a hacker can view your source code then they may also be able to see critical login credentials to you site. You don’t want a hacker logging into your database and accessing all your customers data and wreaking havoc.
Development files may contain sensitive information or let attackers modify data in unexpected ways. They do not belong on a production environment. Their is a default Magento path, /shell, which contains script files that run on your web server. Many Magento owners forget or dont check to make sure this path is not publicly visible. That one mistake exposes a whole list of shell files that may be core to your Magento instance or scripts left behind by developers. You don’t want a hacker coming to your site and running a script file to the nature of www.yourmagentosite.com/shell/clear-all-products.php