Support

I appreciate neither your tone, nor the unfounded accusations.

As you are very well aware we are very conservative in the changes we make in our software. We are not Joomla, making changes for change's sake, with complete disregard as to whether sites will break. If the changes we make are not introducing new functionality, they are only made because they address a security, usability, or functionality issue; they are never done at random. No matter why a change is made, we take extreme care not to break your sites, and definitely not to lock you out of your sites. This has been the way I have operated as a software developer since I started releasing software well over 18 years ago, and one of the tenets of how I operate this company.

The minimum length of the Administrator Secret URL Parameter was raised to 4 characters in version 7.4.4 released on November 6th, 2023 – that is one year ago. I can see in your download history that you have been indeed upgrading to and using all of the fourteen (14) intermediate releases from 7.4.4 to 7.6.2. Which is to say, you were not bothered by it over an entire year. You just made the arbitrary assumption that we made a random change recently with complete disregard to how it impacts our clients. Quite simply put we didn't, and we'd never.

Further to that, the minimum length is not a functional limit, it is a soft input limit. What I mean by that is that if your Administrator Secret URL Parameter was under 4 characters it will continue working just fine for the purpose of authentication on your site's backend (you will NOT be locked out of your site), as long as your server allows it (we'll get back to that). The only difference is that when you try to save the Configure WAF page with an Administrator Secret URL Parameter which does not follow the new validation rules you will receive the message “The Administrator Secret URL Parameter is invalid. Please remember it can only consist of lowercase and uppercase latin letters without accents or diacritics (a-z and A-Z), numbers 0-9, dashes, and underscores. The first character cannot be a dash or underscore. It must be 4 to 64 characters long”.

There are multiple reasons for this change and they all have to do with the fact that the Administrator Secret URL Parameter is a URL query parameter a.k.a. a GET parameter; it just doesn't have a value which is why it's missing the equals sign (which incidentally is also why it needs to be at least four characters long, but no longer than 64 characters). There are restrictions about how these parameters can be named.

The restriction to not start with a non-alphanumeric character comes from the RFCs governing URL query parameters. A URL parameter whose name starts with a number or a special character is invalid, and it's really up to the server configuration whether it will be communicated at all to the PHP code executing. It is usually not communicated, therefore setting up such an Administrator URL Parameter does indeed lock you out of your site.

The restriction about only using A-Z, a-z, 0-9, dash, underscore, and dot comes from the fact that any other character MUST be URL-encoded. If you were to set up a secret URL parameter füb4R#2 on the site www.example.com then your administrator login URL would HAVE TO be https://www.example.com/administrator?f%C3%BCb4R%232 which is non-obvious for most people (even though we had clearly documented it). Beyond that, using certain characters such as question mark, pound sign, ampersand, and equals (even URL-encoded) could be considered invalid by some servers which would then block the request. Therefore, we upgraded the recommendation I had personally written into the documentation back in December 2010 to a requirement so that these issues locking you out of your sites would be avoided.

The minimum length of four characters actually has a dual reasoning. First of all, using 3 characters gives us a total number of 287,296 permutations which is trivial for an attacker to go through in a fairly limited amount of time (a few hours), therefore providing zero protection. Adding one more letter increases the total number of permutations to just shy of 20 million which as you may have noticed is nearly two orders of magnitude harder to brute-force.

Moreover, we had noticed that some servers would NOT acknowledge the existence of URL query parameters with names consisting of three or fewer characters if the parameter has no value. This means that allowing secret URL parameters of three or less characters would not only be insecure by definition, but would also lock the user out of their site because the server itself wouldn't acknowledge the existence of the URL parameter. That is to say, from PHP's (therefore Admin Tools') point of view it always looked like you were not using your secret URL parameter.

Considering that the change in question happened one year ago and you have since installed and used all fourteen (14) versions of our software containing this input validation change it is obvious that your problem does not have to do with Admin Tools itself. Assuming by your very oblique wording that you are suddenly unable to log into your sites because Admin Tools does not seem to “see” your very short Administrator Secret URL Parameter I would suspect a change either in Joomla itself, or your server. As far as I can see, Joomla! 5.2.1 has not made any changes in the way it handles URL query parameters, so I'd be inclined to think that your server recently made a configuration change. If it's the same change I observed about a year ago, it would be a mod_security2 rule in Apache. Again, this is nothing but borderline speculation as I have been given zero information about your issue, including what exactly the issue is. Which is to say, if my guesses about what your issue is and what you see are wrong then my explanation about its root cause will be wrong as well. Remember, I am a software developer, not a psychic; any appearances to the contrary are mostly because I tend to have seen similar issues and make educated guesses which are ever so slightly better than pure chance.

I understand that you are frustrated, but please don't take it out on us lobbing accusations based on arbitrary assumptions. Next time you have a problem ask politely and I can help you. Remember who you are talking to.