Support

Admin Tools

#13610 Protection question

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 19 September 2012 12:27 CDT

Wednesday, 19 September 2012 12:18 CDT

user28055
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.7
PHP version: 5.3.14
MySQL version: 5.1
Host: (optional, but it helps us help you)
Admin Tools version: 2.3.2

Description of my issue:
Does Admin Tools Professional have protection against
Header Injection,
Directory Traversal,
DoS,
PHP injection,
Javascript injection,
and Flooding?

Wednesday, 19 September 2012 12:27 CDT

nicholas
Header Injection - No, because Joomla! doesn't generate HTTP headers based on user input. Furthermore Joomla! has its own safeguards against session fixation / hijacking and related potential vulnerabilities.

Directory Traversal - Yes, it's the LFIShield feature.

DoS - NO! You should NEVER, EVER rely on PHP code for DoS protection. If you do, you're toast. PHP in conjunction with a database is too slow to successfully prevent DoS attacks. In order for a DoS filter to work you need to drop the request or, even better, the TCP package as soon as it hits your machine. Even then you might experience severe slow down of the server as the incoming connection gets saturated with the malicious users' TCP packages. You should use a web server firewall like mod_security2 or, even better, an Operating System-level firewall like iptables. Admin Tools can deny access to repeat offender (IPs triggering many security exceptions in a predefined amount of time) but this is by no means a DoS protection and should never be perceived as such.

PHP Injection - Yes, it's the UploadShield feature.

Javascript Injection - This is properly called XSS. Even though Admin Tools does have such a feature (XSSShield) it's not watertight and there is no person on his.her right mind who can tell you that it's possible to create a perfect XSS filter. Validation of user input and escaping of output is the only sound way of doing that. If you have crappy extensions made by inexperienced developers it's perfectly possible that an enterprising hacker will get his way around an XSS filter and attack your site.

Flooding - It's another name for DoS (Denial of Service). See above.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!