As I understood it, unless someone knows the secret url parameter word, they can't get to the backend log in page. If they can't get to the page, they can't attempt to log in. We have added a secret url parameter, but we still are getting notices of attempted logins. How is ths happening?
#23726 why are we still getting notices of attempted logins after adding secret url parameter
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by on Friday, 18 December 2015 17:20 CST
Tuesday, 17 November 2015 14:27 CST
aimlesslady
Tuesday, 17 November 2015 14:53 CST
dlb
Admin Tools does not stop them from trying, it stops them from succeeding.
What you are seeing is attempted logins that were blocked by Admin Tools because they didn't know the secret parameter.
What you are seeing is attempted logins that were blocked by Admin Tools because they didn't know the secret parameter.
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Tuesday, 17 November 2015 15:32 CST
aimlesslady
But how did it capture the username and password if they couldn't access the log in page?
Tuesday, 17 November 2015 16:01 CST
dlb
Under most circumstances that should not happen.
When you log in using the secret parameter, a "Knows the Secret" cookie is set. For the remainder of that browser session, the cookie will allow you to access the login screen without the secret parameter.
An IP address in the whitelist is not required to use the secret parameter. That IP address is given the login page with or without the parameter.
It may be possible to send the user ID and password to the login form from a script, I would have to check with Davide and Nicholas on that. Actually I know you can send it with a script, that's how many attacks are done. What I don't know is if Admin Tools would save the user and password under those circumstances.
When you log in using the secret parameter, a "Knows the Secret" cookie is set. For the remainder of that browser session, the cookie will allow you to access the login screen without the secret parameter.
An IP address in the whitelist is not required to use the secret parameter. That IP address is given the login page with or without the parameter.
It may be possible to send the user ID and password to the login form from a script, I would have to check with Davide and Nicholas on that. Actually I know you can send it with a script, that's how many attacks are done. What I don't know is if Admin Tools would save the user and password under those circumstances.
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Wednesday, 18 November 2015 09:32 CST
dlb
I just talked to Nicholas, he confirmed my guess that a script was passing the user ID and password to the form that it thought was there. It can't get to the login form.
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Friday, 18 December 2015 17:20 CST
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.