Support

Admin Tools

#25381 Configuring ".htaccess Maker" and ActiveHelper Live Chat

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 12 August 2016 17:20 CDT

Tuesday, 14 June 2016 11:11 CDT

doglegs
Hello,

I am hoping to get your thoughts/suggestions.

I am attempting to configure ActiveHelper Live chat Software and am having difficulties getting it to work properly when using ".htaccess Maker". The Popup window displays a 404 - Category Not Found with the standard Joomla Page Not Found webpage..

If I replace ".htaccess Maker's" version with Joomla's default version then everything seems to be working fine.

As suggested by ActiveHelper: http://www.activehelper.com/Joomla/admin-tools-htaccess-maker-working-with-the-livehelp-server.html I have added the following to the "Allow direct access, including .php files, to these directories" section:

components/com_activehelper_livehelp/
components/com_activehelper_livehelp/server/
components/com_activehelper_livehelp/server/import/

I have also set “Reduce MIME type security risks” to NO (as suggested by ActiveHelper).

I continued to have the same issues until I edited ".htaccess Maker's" version of .htaccess and removed the following Rewrite Rule as suggested by ActiveHelper: http://www.activehelper.com/joomla/live-chat/errors/admin-tools-and-the-internal-server-error-500.html

RewriteRule (.*\.php)$ - [F]

Everything seems to be working now but each time I update using ".htaccess Maker" I am needing to manually edit/remove the Rewrite Rule.

I am wondering what kind of hole is this opening up and is there a better way to achieve whatever ActiveHelper is needing?

Thanks For Your Thoughts,
Brian

Tuesday, 14 June 2016 14:07 CDT

nicholas
The suggestions they have on their pages essentially render the .htaccess Maker's generated .htaccess file pointless. It offers no protection. Instead of following their instructions just don't use the .htaccess Maker at all.

Otherwise they should provide us a list of .php files they are accessing directly so you can add them to the allow direct access to these files section of the .htaccess Maker.

That said, any extension that requires direct access to .php files and more importantly an extension that requires turning off all .htaccess Maker protections to work is NOT safe to use. All of these are very strong indications that its developers do not understand how Joomla! works. The one and only case where you absolutely need to access a .php file directly without going through Joomla! is when you are replacing Joomla's own file, i.e. restoring a backup or updating Joomla itself. Anything else is perfectly possible with a proper component, going through Joomla's index.php file. If a developer doesn't "get" how Joomla works there is a very high chance that they are doing other major mistakes in their code. I recommend against using this component.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 12 July 2016 13:50 CDT

doglegs
It seems that ActiveHelper Live Chat is highly used and recommended within the Joomla Ext Directory but I just cannot afford to be taking chances with punching holes in AdminTools security. Can you recommend any chat components that work well with AdminTools and/or ".htaccess Maker"?

Thanks,
Brian

Wednesday, 13 July 2016 00:36 CDT

nicholas
I don't have any hands-on experience with chat components. All the chat components I've seen so far through clients filing support requests seem to be horribly implemented, typically sidestepping Joomla and using their own directly accessible PHP files. That's a security nightmare: do you really trust a few dozen arbitrary PHP files from being directly accessible, without any guarantee that their data sanitization and database handling code has been reviewed by more than one person (in Joomla it's thousands of people doing that) and that their code is absolutely secure (even security-minded, experienced developers like me have an occasional security issue)? That's pretty much why I'm seeing other security-minded developers using chat services instead of a chat component for Joomla!.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 12 August 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!