Support

Admin Tools

#9950 Joomlawatch

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 14 July 2011 02:56 CDT

Wednesday, 13 July 2011 17:46 CDT

TurnTex
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? All
Joomla! version: 1.5.23
PHP version: 5.2.17
MySQL version: 5.1.56-community-log
Host: Bluehost.com dedicated IP
Admin Tools version: Latest


Description of my issue:

Nicholas,

Do you know anything about JoomlaWatch? I have run it on my site for a number of years not for stats and such and really like it. However, I am wondering if you would consider it a security risk for any reason. I had to add about 6 exceptions in my .htaccess in order for it to work. Any insight you could provide would be appreciated. If you think it is a security risk, do you have any suggestions for alternative components. Thanks in advance.

Thursday, 14 July 2011 02:56 CDT

nicholas
Hi!

I have never used JoomlaWatch. I always found it more convenient (and safer) to use Google Analytics. Without knowing what each PHP file you had to create an exception for is doing, I can't vouch for the security or lack thereof of this extension.

In any case, I would at least classify it as "suspicious security-wise". Needing six exceptions means that all of the tracking is done by PHP scripts that do not go through Joomla!'s index.php file. This means that if there is an SQL injections, XSS, CSRF, RFI, LFI or other vulnerability in any of those six files nothing will protect you (Admin Tools sits between the request and Joomla!, not between the request and any arbitrary PHP file).

So, my educated guess is that the extension is potentially insecure. My suggestion is to never skip an upgrade when one is offered, as any security vulnerability is very likely to cause a big problem if left unpatched for a few days.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!