Support

Admin Tools

#37147 Htpassword protected administrator block my subdomain ?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
very last one v3
PHP version
n/a
Admin Tools version
very last one

Latest post by nicholas on Tuesday, 17 May 2022 08:36 CDT

Monday, 16 May 2022 10:29 CDT

Chabi01

Hello :)

 

I have just added a password to protect my administrator.

This work very well.

Let say my domain is "mydomain.com"

But this generate an issue : I use Acymailing, and for the email, we have a subdomain "delivery.mydomain.com".

With the password, I have several message from admintools to tell me the links are "blocked".

The links are like this :

http://delivery.mydomain.com/VTZQDB?id=62624=cExRVAVXUFACTgAMCgBTAARRBFQLAAAADQULAFQIDwRWBAJVVlVVVgIBBlgGUVdfVlweAVYNR1BbEnMeCFdZRF5RFQ1cC0gBWV9MCARRA1AGXFZTC1AKCQtRBl8YWUJCQwpOS1cACgtAV0JAHBdBCUcRAwFNCkVUFghWEktnYmxidCNbWgEaFAU=&fl=W0QVFAlKSQNdV1UXUAUeCloGCQddDEZF

(a unique code is used to identify and track in Acymailing the email link).

My question is : how to keep the password protected administrator and allow at the same time this "sub domain" ?

 

Thanks for your help :)

Xavier

Tuesday, 17 May 2022 02:27 CDT

nicholas

The delivery.example.com subdomain is not a separate site. It's just a CNAME alias for your regular site www.example.com. Eventually it's just your main Joomla application which loads. Your problem has nothing to do with the use of a subdomain. It has to do with AcyMailing using static resources (JavaScript, CSS, images) located under the /administrator directory from the public frontend of the site.

As I have been telling them ever since they released their first version, this is WRONG and against Joomla's security best practices. Ever since Joomla 1.5, released in 2007 (15 years ago!), Joomla asks that all extensions put their static media files in a subdirectory of the media folder named after the extension's internal Joomla extension name. For AcyMailing that would be /media/com_acymailing, NOT /administrator/components/com_acymailing.

AcyMailing chooses to ignore this best security practice. Well, in two years Joomla 5 will be released and it will forcibly prevent access to static media files outside /media, /images and user-defined media source roots. AcyMailing will stop working because at this point they will have failed to heed fundamental security advice for fifteen years straight. I kept telling them they need to do it, they kept ignoring my advice on their risk and peril. I've been contributing security features to Joomla the past 13 years, I actually know about this stuff.

Anyway, there is a workaround for you right now. What you need to do is go to your site's administrator, Components, Admin Tools for Joomla and set “Administrator resources to protect” to “All PHP files”. This allows static media files to be accessed from the front-end.

You should really tell AcyMailing to stop including static media from the administrator directory. You may want to link them to this ticket reply. I am pretty sure they are completely unaware that their precarious solution will fall apart in two years' time when Joomla includes the Content-Security-Policy headers by default in new installations. Maybe this will finally give them the sense of urgency they need to fix their software. If not, well, Darwinian evolution is a thing in software too.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 17 May 2022 07:25 CDT

Chabi01

Hi Nicholas,

First, thanks for this detailed explanation and the solution you gave me.

Then, I'm going to ask to the Acyba's team some advices and will send them the link of this thread :)

 

Anyway, thanks for your valuable support :)

Wish you the best !

Xavier

 

Tuesday, 17 May 2022 08:36 CDT

nicholas

You're welcome, Xavier!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!