Support

Admin Tools

#9739 Secret URL parameter

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 18 March 2011 07:14 CDT

Wednesday, 19 January 2011 07:53 CST

user14341
Hi

I've been having some issues with the Secret URL parameter or .htaccess protection of the admin backend.

I've found that you can access urls directly if you enter the address such as administrator/component/com_something/something.txt

Is it possible to shut that down?

A little cosmetic issue too - on one site it redirects to administrator/?word but on another it redirects to administrator/index.php?word

Wednesday, 19 January 2011 09:33 CST

nicholas
The secret URL parameter only protects the administrator login page. It doesn't protect the files inside the adminsitrator directory. In order to require a username and password every time anyone requests a file from the administrator directory please use the administrator password protection feature of Admin Tools.

Regarding the second remark, it's all about the server setup. Some servers redirect access to a directory to the index.php page with an internal redirect, others with an external redirect. In the former case you have administrator/?key in the latter you get adminsitrator/index.php?key.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 17 March 2011 17:37 CDT

user14341
I forgot to say thanks for the reply.

My thought was to block access to anything in the backend unless it was accessed via a query string. However, I'd of course forgotten that it would wipe out accessing resources from the backend (images/css etc). It would be nice to shut down the ability for hackers to probe via an address that was in the administrator domain like: administrator/component/com_something/log/log.html

Of course, could just admin password but it just a pain...

Friday, 18 March 2011 02:49 CDT

nicholas
WAF is a Joomla! plugin. It can only block what's being accessed by running Joomla!. Static resources are not delivered by Joomla!, they are delivered by your web server. As a result you need a solution which applies filtering directly to the web server. The only such viable solution is a .htaccess file in order to apply a password to the whole administrator directory.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 18 March 2011 03:57 CDT

user14341
Ah, I'm not explaining my thoughts well. I'm aware it separate and an .htaccess function. Thanks/sorry.

Hope I don't make it onto your Twitter "twit" list... ;)

Friday, 18 March 2011 07:14 CDT

nicholas
Oh, no worries. I know you understand it, I just made the clarification for future searches. Of course, I should have started my post with "For the benefit of future searches..." but I forgot it. Oops!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!