Support

Admin Tools

#9788 Password-protect Administrator protects not only administrator pages, but also the whole web

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 15 March 2011 05:19 CDT

Sunday, 13 March 2011 19:24 CDT

user33181
When I set up user name and password in Password-protect Administrator and click Password-protect button, .htaccess and .htpasswd files are correctly generated in my \administrator directory, so in case I want to access JOOMLA Administration (i.e. www.mydomain.com/administrator), the authentication is required. However, the authentication is required even when I try to access the main page, i.e. www.mydomain.com, either any web page on my site.

I have found no information about the issue in Admin Tools Doc, chapter "5. Protect your administrator back-end with a password" on page 15.

Thanks,
Edited by user33181 on 2011-03-13 19:38 CDT

Monday, 14 March 2011 03:37 CDT

nicholas
This feature adds a .htaccess and a .htapasswd file in your site's administrator directory. Every request made to any file or folder inside the administrator directory forces the browser to ask for a username and password.

In an ideal world where there are no clueless developers, the front-end and back-end of your site are completely isolated, i.e. a front-end component does not try to load any file from the administrator directory. That's security 101 for developers. That said, there are still a lot of incompetent developers without a security conscious bone in them. What they do is to reference files from the administrator directory within the front-end part of the component, e.g. CSS and Javascript files. One notorious example is Zoo. In that case, whenever you visit your site's front-end, the component will try to load one of those back-end files. The password protection .htaccess kicks in and forces the browser to ask for a username and password before delivering the file.

You can't do much about it. You can disable the password protection and ask the developer of the offending component to fix his code. That's all you can do.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 March 2011 05:32 CDT

user33181
I tried to search for "require_once" in frontend "\components" directory and I have found some references to backend, e.g. in file "\components\com_akeeba\akeeba.php", there is following reference:

require_once JPATH_COMPONENT_ADMINISTRATOR.DS.'akeeba'.DS.'factory.php';

There is also reference to backend in JOOMLA files, e.g. in file "\components\com_contact\controller.php":

require_once(JPATH_ADMINISTRATOR.DS.'components'.DS.'com_contact'.DS.'helpers'.DS.'vcard.php');

or also in file "\components\com_content\controller.php":

require_once (JPATH_ADMINISTRATOR.DS.'components'.DS.'com_frontpage'.DS.'tables'.DS.'frontpage.php');
require_once (JPATH_ADMINISTRATOR.DS.'components'.DS.'com_messages'.DS.'tables'.DS.'message.php');


Is the "require_once" statement the one which causes that frontend requires access to backend files and thus displaying authentication dialog while accessing the frontend?

Is there any possibility how to get information about which back-end files are requested by the frontend?

Thanks,

Monday, 14 March 2011 05:41 CDT

nicholas
It's not about the require_once. This is at the PHP level, no web server request involved. This is a safe method to include files. You have to take a look at the generated HTML. Look at the source of your front-end pages for URLs containing administrator/ and you will spot those files right away.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 March 2011 16:55 CDT

user33181
Thanks, this helped. Finally, I have found the backend files which were accessed via frotend and fixed those components to use only frontend files.

Anyway, now .htacces file protects the whole /administrator folder. However, I have following files:

/administrator/myfolder1/a.php
/Administrator/myfolder2/b.php

and I have to grant access to this files without requesting the authorization, i.e. these files are called by third party websites and I cannot provide those sites with my authentication information. So I have to make exception that access to these 2 files does not need authentication. How can I manage that?

Thanks in advance,

Tuesday, 15 March 2011 05:19 CDT

nicholas
To the best of my knowledge, there is indeed a way to do that. Create a .htaccess file inside the folders you want unprotected (myfolder1 and myfolder2 in your example) with the following contents:
Allow from all
Satisfy Any

Do note that HTTP Authentication is an all-or-nothing approach. You either protect an entire directory and all of its subdirectories or you leave an entire directory and all of its subdirectories unprotected. If you want to create public "interfaces" to these two PHP files and nothing but those two PHP files, there's another workaround possible. First, create a directory under your public web root, e.g. "interfaces". Then, create a file named a.php with the following contents:
<?php require_once dirname(__FILE__).'/administrator/myfolder1/a.php';

Similarly create b.php etc where you just require_once the necessary file. Since the "interface" file is outside your administrator directory, it is publicly accessible.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!