Support

Admin Tools

#10774 A question about giving Admin tools security info on a forum

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 24 January 2012 14:56 CST

Tuesday, 24 January 2012 14:39 CST

user528
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the forum before posting? yes
Have I read the documentation before posting (which pages?)? yes
Joomla! version: 1.7.3
PHP version: 5.2.17
MySQL version: (unknown)
Host: lunarpages
Admin Tools version: (2.2.a2


Description of my issue:

I had a conflict recently with an extension that was trying to access a .php file in an admin folder. I found that it was due to the increased security in the .htaccess file I create with Admin Tools.

I solved the issue by going into Admin Tools>>.HTACCESS Maker>>Server Protection>>and under "Exceptions: Allow direct access, including .php files, to these directories", i entered the directory of the extension.

Now, someone in the support forum for that extension is asking me how I worked out the issue. I would like to post the solution, but I'm worried that it will cause a security issue with my site. I assume it isn't a good idea to post directories where .php files are open and accessible...correct?

Advise?

Tuesday, 24 January 2012 14:43 CST

nicholas
Hi,

if you only need to allow a single PHP file to be web-accessible, you can always put it in the "Allow direct access to these files" field in the .htaccess Maker page. This will remove the protection for just this file, minimising the security implications for your site. In other words, your site is in jeopardy only if this particular file is found to be vulnerable. This is the solution you have to give to the other guy. This is the solution I give in our documentation, too :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 14:47 CST

user528
Yes, that is what I did first. I just allowed access to one php file. But, the extension uses multiple folders/php files, and the others were having issues. So, I need to allow access to the entire folder, instead of finding each and every php file. Make sense? Or am I just being lazy :) If that is the case, I will go back and set it for each file.

Either way, are you saying it isn't a problem for me to tell the guy, " You need to allow access to administrator/com_extension/aaa/test.php ?" I just want to be sure that just listing that directory won't cause me any security concerns. (ie. the bad russian hackers will sniff it out and attack asap)

Tuesday, 24 January 2012 14:49 CST

nicholas
Hm, if the file names are not generated randomly, it's best to list all files, one by one. Otherwise (if the filenames are random) what you did is correct.

You can just tell the other guy to add that directory to the exceptions list. And it's best to not use your real domain name, obviously, but example.com instead.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2012 14:51 CST

user528
Ok, I'll stop being lazy and do it right. I'll pass that info on to the other guy. And I won;t use my own domain...but I still worry about people figuring it out...I'm not always the safest forum surfer...I have to remember to be more careful.

Anyway, since the guy has AdminTools installed, I'll just tell him to come on over for some Premium Kick-a$$ support from Nicholas :)

Tuesday, 24 January 2012 14:56 CST

nicholas
You're welcome, Ryan! It's a pleasure being able to help :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!