Support

Admin Tools

#11945 My host support told me tha the /administrator/.htaccess has strange content.

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 11 April 2012 07:04 CDT

Wednesday, 11 April 2012 01:45 CDT

oldboy
Mandatory information about my setup: jooomla 1.5, admintools

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (1.5.26)
PHP version: (5.2.17)
MySQL version: (5.0.92-50)
Host: (site5)
Admin Tools version: (2.2.4)

Description of my issue: After my website hacked the host company informed me and I cleared the website from malicious files and scripts. Then I have installed admintools and used some protection features. Also I used the protection of backend password. After I ask them to check again if my website is clear now and they told me that the /administrator/.htaccess fils has content that is strange to them. Especially the two last line.
This is the content of the .htacces file in administrator folder:

AuthUserFile "/home/rh***an/public_html/administrator/.htpasswd"
AuthName "Restricted Area"
AuthType Basic
require valid-user

RewriteEngine On
RewriteRule .htpasswd$ - [F,L]


This is the mail they send me.


The second part, however, is as follows:



RewriteEngine On

RewriteRule .htpasswd$ - [F,L]*



To be honest, this is strange. It is straightforward enough, and is blocking browser access to the .htpasswd file, which is a good thing, but that file contains encrypted data anyway, and even if it was accessed in a browser the password in that file would be unintelligible. Our audit script checks for the htpasswd string automatically, as it is often used to exploit security holes. In this case, however, I see nothing outright malicious in this file, though the last two lines are strange, as described.



I don't have knowledge about how a .htaccess should be. Could you please tell me that the content of .htacces is created from admintools?

Is there any guide explaining how to configure a .htaccess file?

Regards

Edited by oldboy on 2012-04-11 01:47 CDT

Wednesday, 11 April 2012 03:32 CDT

nicholas
Both files, .htaccess and .htpasswd, are created by Admin Tools. The two lines in question are exactly what your host told you, they prevent web access to the .htpasswd. If someone downloads the .htpasswd file with its encrypted contents they can try to brute force (crack the encryption of) the password. That's a fundamental security principle: never allow access to passwords, even if they are encrypted. I don't see why all the fuss by your host?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 April 2012 03:48 CDT

oldboy
I don't Know why. I will reply them with your answer.

Regards

Wednesday, 11 April 2012 03:49 CDT

nicholas
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 April 2012 04:03 CDT

oldboy
They replied:
Access to the administrator/.htpasswd file is forbidden, and they wouldn't be able to download the contents of that file.


Anyway... I needed to Know if my file is clear. Thank you.
Edited by oldboy on 2012-04-11 04:04 CDT

Wednesday, 11 April 2012 07:04 CDT

nicholas
Well, since Admin Tools is designed to produce one-size-fits-all .htaccess code, meaning that it will perform equally on all server environments in the wild, we have to include those two lines. They are not necessary for your particular host (and most hosts for that matter), but they are required for some other hosts and don't cause any side-effects. So, leaving those lines in there is not a big deal. Putting a confusing option in the software, on the other hand, would be a very big deal as people would come here and ask if they should enable the "Forbid access to .htpasswd" option or not, will my .htpasswd be readable if I set it to Off and so on. Therefore, just let it be :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!