Support

Admin Tools

#9890 Exceptions Clarification

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 03 June 2011 01:22 CDT

Friday, 03 June 2011 00:08 CDT

user1146
Been reading all the docs and info. Good stuff.

Have a question though. When listing an extension in "Allow direct access, except .php files, to these directories" field, if a path is "siteroot/cache/extension" does that create a hole in security as a malicious user can get into the "upstream" directories, such as "/cache" or are they limited to access only to the "/extension" directory?

Hope that makes sense. Thanks in advance.

Friday, 03 June 2011 00:11 CDT

slaes
no they will be limited to the files within the final /dir. The rules are directory specific.

You can test this yourself by putting files into previous dirs are trying it.

Friday, 03 June 2011 00:19 CDT

user1146
Thanks. Needed to know if I should dump an extension. Seems as if it is ok.

Have no idea how to check this as you suggest. A PM might be a better format to communicate.

Thanks again.

Friday, 03 June 2011 01:22 CDT

nicholas
When you add a directory exception, here's how it works. When you tell it to allow access to components/com_foobar/something then all contents of the components/com_foobar/something directory in your site's root and all of the contents in its subdirectories are accessible, except for PHP files.

Here's you to test it. First, create a small file called test.php containing this:
<?php echo('You should never see this message');
and upload into this directory you have allowed. Then, in your browser, try accessing http://www.example.com/components/com_foobar/something/test.php (where example.com is the domain name of your site). You should get a 403 Forbidden reply. If you see "You should never see this message" check your settings as it's something that should never happen on a site where .htaccess Maker has run and there was no exception which allows PHP files to run applied in its configuration.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!