Support

Admin Tools

#28019 allow direct access to json - a security risk ?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 27 July 2017 17:17 CDT

Monday, 26 June 2017 05:16 CDT

PawWest
Hi!

im a bit confused when i'm reading the posts in this forum and on other sites, so that´s why i ask this question..

I have a module that will only show on frontend, when i allow direct access i htaccess..

But is this a security risk ?

It's a json file

What can public users or hackers do with this json file ?


Best Regards

Monday, 26 June 2017 06:52 CDT

nicholas
I assume that by "module" you don't actually mean a Joomla! module because these render inside Joomla! and are most definitely not JSON files.

Are you asking me if you can allow direct access to a static .json file? If so, yes, it's safe.

Are you asking me if you can allow direct access to a .php file which generates JSON output? No, I CAN NOT guarantee it's safe. This is the whole point of me saying that you shouldn't allow direct access to arbitrary .php files, no matter what they do, whether they return output and if they do return output what format that comes in. This is irrelevant. The only thing relevant is HOW that file works under the hood. Since it runs outside Joomla! we know that a. all the automatic protections built into Joomla! over the last 15 years will NOT be applied b. all the automatic protections offered by Admin Tools will NOT be applied and c. it's up to its developer to make sure everything is being handled securely. The latter is not a given. Many years ago millions of WordPress (and other) sites were hacked because an image thumbnail script called TimThumb has a security flaw and developers using it never bothered to update it. None of them thought a small script that resizes images would be important, yet millions of hacked sites later these people were forced to take security more seriously.

As a rule of thumb, allowing direct access to static content is fine. Direct access to dynamic content (i.e. .php files in most cases) is NOT safe. If you need dynamic content go through a Joomla! component, written by someone who follows Joomla! standards and best practices, to minimize the risk. If you cannot do that, audit the dynamic code. Anything else includes an unknown risk, much like driving around without a seat belt or smoking: it's not necessary you'll get harmed but the odds are against you - and the kind of harm you'd be subjected to in this case is substantial.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 June 2017 09:10 CDT

PawWest
@Nicholas

Thank you for a speedy, good and helpfull answer.

It's a third party module and it's only a .json file, not a .php, so i should be good then..


best regards

pawwest

Monday, 26 June 2017 10:31 CDT

nicholas
Yes, as long as it's a static .json file you can safely allow it. A static .json file doesn't have any logic, it doesn't "do" anything on your server. Therefore it cannot be used to hack your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 June 2017 04:35 CDT

PawWest
since i have to ask this question, you know im a noob :-)

How can i tell if it's static ?

Tuesday, 27 June 2017 04:44 CDT

nicholas
If it's not a .php file it's not dynamic, hence it's static.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 June 2017 05:04 CDT

PawWest
ok thank you for taking you the time to answering noob questions :-)

now im a little bit wiser :-)

Tuesday, 27 June 2017 07:39 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 27 July 2017 17:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-07-27 17:17 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!