Support

Admin Tools

#13329 access to files in new directory when not expected

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 21 August 2012 08:17 CDT

Monday, 20 August 2012 15:27 CDT

davesage
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No - none relevant
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.6
PHP version: 5.3.x
MySQL version: 5.1.x
Host: (optional, but it helps us help you)
Admin Tools version: 2.3.2

Description of my issue:

I created a new folder in the root of public_html called 'pdf' and uploaded a pdf to it. This folder was to hold some pdfs that were going to be made publically accessible by sending out a given url to the file.

I was expecting these files to be non-accessible until I added this new directory into admin tools .htaccess maker under ' Allow direct access, except .php files, to these directories' or better 'Allow direct access to these files' for each file I uploaded.

I was surprised when I tried to navigate to the URL and it downloaded the pdf BEFORE I added these entries into admin tools!

Have I misunderstood how the server protection and exceptions work? I'm sure on previous versions I got a 403 error until I added in the exceptions.

Sorry if I'm being thick,

Cheers,

Dave

Tuesday, 21 August 2012 03:09 CDT

nicholas
Hello Dave,

The protection offered by .htaccess has two branches:
  • For certain Joomla! core directories(*) no access to any file is allowed except the index*.php files in the root and the administrator directory, as well as files with allowed extensions. The idea is to prevent arbitrary PHP files uploaded to the site from being executed, as well as prevent fingerprinting (determining the Joomla! version by downloading publicly accessible files) as much as possible.
  • For all other directories only PHP files are disallowed to be accessed. The idea is that an attacker could exploit a vulnerability to upload an inconspicuously named hacking script in a non-core directory and access it over the web.


* the directories are cache, includes, language, logs, tmp if you enable the front-end protection and administrator (and all its subdirectories, of course) when you enable the back-end protection.

In your case you had a PDF file in a non-core directory. It is not supposed to be protected.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 21 August 2012 07:00 CDT

davesage
Hi Nicholas,

Thanks for the very clear response, it certainly clarifies the situation. I had incorrectly thought that ALL files were blocked for all directories unless in the differing exception fields.

Thanks again,

Dave

Tuesday, 21 August 2012 08:17 CDT

nicholas
I have to admit that once I read your question I went "huh, he's right, the description is a little vague". Well, I'm glad you asked and I had the chance to explain exactly how this works :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!