Support

Admin Tools

#28572 Admin White List Anomaly

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 05 November 2017 17:17 CST

Friday, 06 October 2017 03:34 CDT

mikem22
Hi there,

I just noticed a couple of IPs had been inserted into my Admin Tools Administrator Whitelist IPsection.

It seems that these are something to do with Perfect Dashboard. There is also a folder that has appeared,

/perfectdashboard_backup_oD8Oz/

Are these anything to do with Admintools, looking at the php file, it shows the below code..;

Which seems to imply is is something to do with Akeeba. I cant seem to find anything in the Akeeba updates about this software. Or why it would need to add entries to the administrator white listlist ?

/**
* Akeeba Restore
* A JSON-powered JPA, JPS and ZIP archive extraction library
*
* @copyright 2010-2016 Nicholas K. Dionysopoulos / Akeeba Ltd.
* @license GNU GPL v2 or - at your option - any later version
* @package akeebabackup
* @subpackage kickstart
*/
/**
* Perfect Dashboard override
* Don't initialize static variables inside of a method , because when other class extends it,
* it will probably break some zend opcache interpreter.
*
* example of this problem.
* class a
* {
* public function b()
* {
* static $c;
* }
* }
* class b extends a {}

Friday, 06 October 2017 03:43 CDT

tampe125
Hello,

It seems Perfect Dashboard is injecting those IP addresses automatically, so they won't be blocked.
I think you should get in touch with them, those files are not part of Admin Tools: they are using freely available script developed by Akeeba.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 06 October 2017 04:16 CDT

mikem22
Thanks for the update, I don't use Perfect dashboard so don't know where this came from. I have deleted the folder and corresponding database entries.

I guess it may have come from another component, but if any component is injecting Admin IP's into the white list without notifying the user, this is not good as it will raise suspicion on the third party tool (Perfect Dashboard). Is there a way of getting a notification when an Admin white list entry is added or changed?

If perfect dashboard can inject a white-list entry, then that is a very worrying scenario, presumably a plugin can read configuration.php and gain access to private information. An Admin white list entry can mean that a baddie can log in.

Mike

Friday, 06 October 2017 04:41 CDT

nicholas
It should be self-understood, but ANY AND ALL SOFTWARE YOU INSTALL INSIDE JOOMLA CAN READ AND WRITE TO YOUR DATABASE AND configuration.php BY DEFINITION. I am typing this in all caps because it is VERY IMPORTANT. The weakest link in cybersecurity is humans - especially those with misconceptions about what the software does and doesn't.

Please note that neither Perfect Dashboard nor any other service can magically install software on your site. You or someone else with admin access on the site or the server gave them permission to. Firewalls are designed to keep unauthorized users outside of the system. Authorized users, like you, are supposed to get in. If the authorized user logs in and allows the installation of software that violates his trust that's not the concern of the firewall.

Finally, we cannot notify you for every change made to the database. This is not unwillingness or incompetence. Doing so would require to have a way to know the previous state so we can compare it with the current state. If that was either a database entry or a file the software that injects the additional entry would simply change that "memory", therefore nullifying the point of its existence. At the same time we would need to make a plethora of database queries on each and every page load on your site making your site unbearably slow. To me, this kind of "feature" is outright stupid: it offers no added benefit, it can be circumvented trivially and it's just an nuissance. It would only make people wonder "what were you thinking". Pretty much like the gate depicted below.


Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 05 November 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-11-05 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!