de_DEus

Why modules shouldn’t be installed via Magento Connect Manager

2015-05-07 16_29_55-Dashboard _ Magento AdminThe “Magento Connect Manager” which is integrated into the Magento admin area is a quick and easy method to test and install new modules. You don’t need any technical knowledge for that, modules can be installed without technical support.

The Problem

We recommend to not use the Magento Connect Manager. Preferably, it should be disabled. That’s because of the following reasons:

  • Every module which is used in a live shop should have gone through a code review. Otherwise, there is the danger to install modules with security issues, spyware and/or performance problems.
  • If you are using the Connect Manager, integration with version control (Git, SVN, …) is much harder. Every professional shop should use version control.
  • No module should be installed untested on a live system. Deinstallation of a module isn’t as easy as the Connect Manager might make you believe in many cases. Often, database changes have to be done after the uninstallation of a module
  • The technical support of a shop should have and keep an overview over all installed modules in order to quickly identify possible problems. As long as the Magento Connect Manager is available, this can never be guaranteed.
  • It may lead you to use too many modules. With  a higher count of modules, the risk of conflicts between modules increases as well as the risk that a Magento update doesn’t pass through without problems.
  • The Magento Connect Manager is a security problem. While you can adjust the URL of the admin area, the Connect Manager is always available at “/downloader/”. If the password gets hacked, i.e. during a brute force attack, the attacker gets to the admin area with a direct link.

Alternative

Every module should be installed on a development or test system first. In the best case, you are using Composer or a similar tool for that.

If that’s not possible, you can still download the installation package (either from GitHub directly – for MagentoConnect modules you can use a tool like the “magento connect 2.0 extension downloader“). The downloaded module should go through a code review then. After that the module files can be copied to the development or test system and be added to the version control. You can test it there then.

Using the version control you can easily remove the module again so it doesn’t reach the live server at all.

Blocking the Magento Connect Manager

Due to the abovementioned reasons we recommend blocking access to the Connect Manager completely. You can do that with the following means:

  1. Deletion of the “downloader” directory in Magento. This is the most secure method, but its disadvantage is that this directory is contained again in every update. So you’ll have to delete that directory again after every Magento update.
  2. Deactivate access to the Magento Connect Manager using the permissions in Magento. This is the easiest method, but it doesn’t fix the security issue mentioned above.
  3. Blocking access in the .htaccess file of Magento if you are using Apache. You can do that by adding the following line to the top of the file .htaccess in the Magento root directory:

 

Andreas von Studnitz

Author: Andreas von Studnitz

Andreas von Studnitz is a Magento developer and CEO of integer_net. His main areas of interest are interface development, backend development, Magento consulting and giving developer trainings. He is a Magento Certified Developer since 2011 and a Magento Certified Solution Specialist since 2014.

More Information · Twitter · GitHub

This Post has 8 Comments

  1. Flyingmana says:

    An important point which many developers seem to forget: Some modules have dependencies.

    Most of the tools which can be used to directly download modules ignore that fact. Some features won’t work as expected because of that.

    Please check the contained package.xml for the “dependency” tag and if it contains other modules.

  2. Great information. What i like about this article most is, you have described the alternative way to install modules without magento connect manager. Many times people write about a problem with any tool and mention just why you should not use that tool. But they forgot to mention the alternative way to do the same things. Thanks.

  3. Thank you for sharing this post. I do agree with you. As you mentioned we should not use magento connect manager. It is not safe and can create some problematic issues. So it’s better to avoid this.

  4. Daniel says:

    Thanks for confirming what I thought but couldn’t put to words.

    My colleague insists on using the downloader, because he says that’s the easiest way to find out if there are any updates for installed plugins. Unfortunately, he’s right about that .. or is he?

    I haven’t been able to find a simple command that checks installed plugin versions against the Magento Connect database for updates. Is there a way?

    Thanks,
    Daniel

  5. Gary Mort says:

    1) Move the downloads folder outside of the webroot. For example:
    from home/username/public_html/downloads to /home/username/downloads
    2) Create a symlink from the webroot to the downloads folder
    home/username/public_html/downloads –> /home/username/downloads
    3) Deactivate access to the Manager
    4) Block access in .htaccess using mod_rewrite and include commented out ip address exceptions
    # To use the downloader, enable it in the manager
    # Place your ip address(es) in place of the below addresses
    # Remove the comment symbol for Options +FollowSymLinks and the ip address exceptions
    # Use the downloader for a specific purpose
    # Disable the downloader
    # Replace comment symbols
    Options -FollowSymLinks
    # Options +FollowSymLinks
    #RewriteCond %{REMOTE_ADDR} !^124\.255\.124\.255
    #RewriteCond %{REMOTE_ADDR} !^125\.255\.125\.255
    RewriteRule ^downloader.* index.php [L]

    This way when you update Magento, the files in the downloader directory will be updated correctly

    It is not enough to block access to the downloader directory, other processes running outside of the web environment can still execute it, you should block access and disable it.

    You can use the downloader to check and update/install extensions as needed[using the downloader has zero impact on using Git. Git does not care where the file comes from when you run git add, it simply compares the file in the directory to the file in the repository.]

    +FollowSymLinks is an obvious security hazard and should never be used on a production server. The exception being if you understand precisely how symlinks work, why they are a security hazard, and create a very specific exception for a specific directory. I don’t care how convenient it is to use modman with symlinks or whatever other stupidity someone decides to use

    The first line disabling symlinks and the lastline are only seemingly redundant. They both perform different functions which happens to include blocking access to downloader as a side effect.

    Just as you should not use +FollowSymLinks if you do not understand how it works, you should not use composer if you are not well versed on how the default settings when using composer are a security hazard. Never ” just run the install command.” Composer is a development tool, not a deployment tool. Note: you can use a development tool as a deployment tool but you must use have a basic understanding of standard, decades old Linux and Apache security practices. Something few people take the time to learn when blinded by shiny new toys which they think are more ‘efficient’

  6. Name*rukia says:

    Hello Mr . Andreas von Stvdnytz
    I’ve installed the Magento , but there is no Magento connectin, your opinion, what is the problem? Guide me . Thanks
    Rukıa

Leave a comment