Support

Admin Tools

#13638 LFI Shield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 25 September 2012 10:37 CDT

Tuesday, 25 September 2012 09:42 CDT

user47763
Description of my issue:
A recent PEN Test of one of my sites has detected a path traversal vulnerability. A response in a previous ticket (No 13610) mentions that this kind of attack is protected by the LFI Shield.

I am running v2.3.2 of Admin Tools Pro, and cannot find an option to select/enable LFI Shield protection and can't seem to find this option in the WAF Configuration. Can you point me in the right direction?

I am running v2.5.7 of Joomla, with everything up to date.

Thanks

Tuesday, 25 September 2012 09:56 CDT

nicholas
It's called DFIShield, not LFI Shield. Please note that Admin Tools can only protect requests which are routed through Joomla!'s index*.php files. If a request is routed through an arbitrary PHP file (as some components, modules, plugins and –most importantly– templates do) then Admin Tools cannot protect you. This is why the .htaccess Maker will, by default, will block access to all .php files except Joomla!'s index*.php.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 25 September 2012 10:30 CDT

user47763
Thanks for the prompt response Nicholas. I'm going to see if I can get some help with adjusting my htaccess settings to counteract this vulnerability.

You're absolutely right, the example given to me relates to a framework extension that is required by my template.

Tuesday, 25 September 2012 10:32 CDT

nicholas
I was perfectly sure that this would be the case. I've said many times that these stupid PHP scripts to compress JS and CSS files are infinitely more harmful than helpful. Not to mention inefficient: the time required to compress the data and serve them using PHP is usually more than the time it would take the uncompressed file to be transported through the infinitely more efficient web server (and that's why the .htaccess Maker allows you to instruct Apache to automatically compress static resources - it's 2x - 4x faster than PHP code!).

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 25 September 2012 10:35 CDT

user47763
So it would be better to switch off the js/css compression within the template manager and enable Automatically compress static resources in htaccess maker instead?

Tuesday, 25 September 2012 10:37 CDT

nicholas
Exactly. Enable the front- and back-end protection in .htaccess Maker, too.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!