Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.
Text below is from Magento: SUPEE-6788 Technical Details. Without these changes, stores are forced to disable the security feature provided by this Magento patch.
Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
Bug type: Information Leakage SUPEE-6788 Magento Patch Release Notes SUPEE-6788 Magento Patch Technical Details
Attacker can force showing admin panel login page regardless of admin panel URL by calling a module directly. It makes it easier to try automated password attacks and exposes admin URL on the page.
Text below is from Magento: SUPEE-6788 Technical Details. Without these changes, stores are forced to disable the security feature provided by this Magento patch.
Note: This part of the patch is disabled by default. To protect non-default admin URLs against automated attacks, the patch must be enabled by changing the routing compatibility mode in configuration. Use "Enable Admin routing compatibility mode" under System > Configuration > Admin > Security.
If a module has admin functionality that is not under the admin URL, it will need to be modified (eg. http://domain.com/cool_module instead of http://domain.com/admin/cool_module)
Developers need to change etc/config.xml and all code lines where they generate links to the admin part of the module.
For example the following config.xml file for a module:
Should be changed to: