Support

Admin Tools

#10077 Security issues with "Administrator secret URL parameter" and "Password-protect Administrator" passw

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 01 November 2011 08:30 CDT

Saturday, 22 October 2011 17:57 CDT

user33181
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.5.24
PHP version: 5.2
MySQL version: 5.0
Host: n/a
Admin Tools version: 2.1.10


Description of my issue:

Hi,

I use the latest version of Admin Tools Pro v2.1.10. I am facing 2 security problems:

1. I have set "Administrator secret URL parameter" parameter in WAF, i.e. only few characters from set a-z, e.g. "asdf". However, I am still able to access Joomla Admin page with url "https://www.mysite.com/administrator", i.e. without providing the parameter "?asdf" at the end of the URL. I didn't make any tests on HTTP, because all HTTP requests are redirected to HTTPS.

2. I have set admin name and password in "Password-protect Administrator". The password is more than 15 characters long and it do contain special characters after the 9th character. I have noticed, that I am able to login by providing only the first 8 characters of the password. I have tried Firefox v6.0.2 , as well as IE8 with doing previous deleting of all history, cached files and cookies.

Thank you,

Sunday, 23 October 2011 03:34 CDT

nicholas
1. Try using any other browser, ideally from another PC. It looks like Internet Explorer is sometimes caching the URL parameters you use to access your administrator page (I think it could be because of a third party plugin, as you're the second person reporting that and I still can't replicate it!), essentially allowing you to access the administrator page without manually entering the secret URL parameter. If you want to be convinced that this feature DOES work on Admin Tools 2.1.10, just try accessing https://www.akeebabackup.com/administrator (I am using 2.1.10 on this site). See?

2. It depends. If you are using a Windows-based server, the password has to be stored unencrypted in the .htpasswd file. In this case, if the 9th character is a colon (:) everything after it will be ignored. This is a known Apache limitation on Windows. In all other cases where the password is stored encrypted in .htpasswd, this should not be the case. I am not aware of an Apache limitation regarding the length of the password you can use.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 27 October 2011 19:33 CDT

user357
Hi there, I have the same issue with a site running J!1.7.2 and Admin Tools 2.1.10. I can get to the admin backend without supplying the URL parameter.

It is working fine on other sites that are running both J!1.5.24 and J!1.7.2. with Admin Tools.

Is there anyplace in particular we could look to help track this down?

Friday, 28 October 2011 04:23 CDT

nicholas
It sounds as if the plugin is not fully installed and/or activated. Try the simple workaround:
- Download Admin Tools 2.1.10 installation ZIP package
- Go to Extensions, Manage and use Browse and Upload And Install to install the ZIP archive (do NOT uninstall Admin Tools before re-installing it)
- Go to Extensions, Plugin Manager and make sure "System - Admin Tools" is published.

If you are using Internet Explorer, do note that it appears that Internet Explorer caches the query parameters, so after the first time you visit your site's back-end with the secret query parameter, you don't have to use it for a long time in order to access your site. However, if you try any other browser, you will HAVE TO use the secret URL query parameter to access your site's back-end.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 30 October 2011 10:47 CDT

user357
That worked like a charm! Thanks!

Sunday, 30 October 2011 16:35 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 31 October 2011 19:30 CDT

robert2301
Hi,

Same issue here. I tried the suggested fix, but it didn't work. Tested this with two different computers and with Safari and Firefox on each and it allows me to log in with just mysite.com/administrator.

Tuesday, 01 November 2011 02:55 CDT

nicholas
There's also one more thing. If you add your IP address to either the Administrator IP Whitelist or the "Do not block these IPs" list in Web Application Firewall, then all Web Application Fiwall protections are lifted from those IPs, including the secret word protection. The idea is that you add those IPs to either whitelist because you trust them and consider them as belonging to people not willing to hack your site. Therefore there is no need to protect your site against potential abuse from those "safe" IPs. So, have you added your own IP to either of those whitelists?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 01 November 2011 08:29 CDT

robert2301
That was it. I had added my IP to both recently.
Thanks.

Tuesday, 01 November 2011 08:30 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!