Support

Admin Tools

#19368 turning off redirection to home page when administrator url wrong

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 28 February 2014 12:15 CST

Friday, 28 February 2014 11:21 CST

weboxx
 Hello,

is it possible to turn off the redirection to the site's homepage when the administrator URL combined with the secret URL parameter is typed wrong ?

Is there a way to turn off this redirection without manipulating any .htaccess-file ?

If an attacker types in the standard Joomla-administrator URL (this the URL without any secret URL parameter) then the attacker is redirected to the site's startpage so he knows that the Site is a Joomla CMS site. (In case of an invalid URL a 404-error is thrown)

best wishes

Chin-Man Choi
 WEBoXX IT-eXperts

Friday, 28 February 2014 12:15 CST

nicholas
You understand it backwards. The redirection to the main page actually confuses an attacker because they are not sure if it's the result of a SEO configuration on a non-Joomla! site or a Joomla! site protected by Admin Tools.

FYI, I can still tell a Joomla! site without even trying to visit the administrator URL. You can too. OK, here's the secret sauce. Open a site's front page. View the source of the page. No matter what the site owner does, there will be references to some tell-tale folders such as "templates", "images" and "media". If you are really sly, you don't even have to open a site's front-end page. Just try accessing the /media/cms/css/debug.css. Now you know my not-so-secret way of figuring out which site is Joomla! or not.

Before you ask, no, you can't block access to all tell-tale files and folders. That would brick your site. That's why we have an active firewall in Admin Tools: to prevent attacks, not to hide the fact that your site runs Joomla!. Even if you could hide all the files, nothing would stop an attacker from trying the most common exploits targetting (usually outdated) Joomla!, WordPress and Drupal sites. You know what? Even on our site which shouts that it's Joomla! we see attacks targetting old versions of WordPress every single day. No, script kiddies do not even try to guess what kind of site you have. They will just launch whatever they have at you and hope for the best. Firing at random sometimes yields results. You can't prevent random fire, you can armor up and make sure it doesn't touch you.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!