Now Chatting

Hello, can I help you with anything?

Title:

Admin interface is open externally (though it is being protected with user-id/password challenge).

Vulnerability:

Administrator interface is managed and required for maintenance (addressing its availability, functionality) for web server. But if this admin interface of web server is made accessible externally this poses risk of brute force attacks in-order to root admin access of web server.
Exposing the */admin page externally increases risk of having SQLi attack, directory structure exposure, etc.

Solution:

The interface page should be accessible from Internal Port.
Administrator sign in ports
[*] Enable administrators to sign in on the Internal Port
[ ] Enable administrators to sign in on the External Port

Instead of */admin you can use [IP of internal Interface]/admin as the Sign-In URL. Also further more it is mostly advised to have limited number of IP instances to simultaneously and not grant access to entire subnet IP range.