Support

Admin Tools

#11560 phpthumb.php needs Protect against common file injection attacks:off

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 14 March 2012 13:58 CDT

Wednesday, 14 March 2012 13:40 CDT

abe
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: (1.5.25)
PHP version: (5.2.12)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: (professional)

Description of my issue: hi there
i think your software is very useful. thanks that!

ok so i have install the Admin Tools all good, no issues and when using the tool ".htaccess Maker" i created a a htaccess everything seems to be fine but then i notest that an extension thumbnails created by the phpthumb.php ware not been display in the frontend.

=========================
so i fix it by putting this 2 setting to off:
Protect against common file injection attacks:off
Front-end protection : off

==============
now by putting this path "component/libraries/phpthumb.php" in the

Exceptions
Allow direct access to these file

now i can set the front-end protection on :)
==============

but this i what i got left with. why i can not set this to on??
Protect against common file injection attacks:off

every time i set this to on the thumbnails desapierd what should i do?


thanks
Abe

Wednesday, 14 March 2012 13:42 CDT

nicholas
Hello Abe,

yes, phpthumb.php does require that option to be turned off. However, I would recommend to get rid of that thumbnail generator as soon as possible and avoid it like the plague. To the best of my knowledge, it is insecure and last year it was used to hack many unsuspecting sites. I'd argue that it's best to have a secure site without thumbnails than a hacked site with thumbnails.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 14 March 2012 13:51 CDT

abe
nicholas there is any other way to set your admin tool so i can use that extension that is using the phpthumb. can i put the extension in an exception.. so i can set Protect against common file injection attacks: to on??

thanks
Abe

Wednesday, 14 March 2012 13:58 CDT

nicholas
Hello Abe,

I didn't make myself clear. Turning off the file injection protection is the least of your worries. Your major problem is that in order to display the thumbnails you have to give direct access to phpthumb.php. However, phpthumb.php is insecure. It can be used as a backdoor to your site. It's the equivalent of putting an armoured door on your house and leaving the kitchen door open.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!