Support

Admin Tools

#20290 waf secret parameter not working

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 17 June 2014 01:17 CDT

Monday, 16 June 2014 14:25 CDT

user68359
 Even though i have waf configured to autoblock anyone who triggers even a single security exception, and have a secret paramter set up, it would appear that people are getting through and getting failed admin passwords. This shouldn't be possible and worries me as this website has been a target for a lot of hackers and didnt realize they could get through like this.
Can you give me some ideas of why or how they are getting through and anything i can do to prevent it?
thanks.

Monday, 16 June 2014 14:27 CDT

user68359
the only reason i saw the failed logins is because they triggered the exception of a failed admin login. it didn't even show up in the exceptions list, only in the block history list.

Tuesday, 17 June 2014 01:17 CDT

nicholas
As we have explained many times no, this DOES NOT mean that they got through. This has to do with the sequence of events in Joomla!'s load process. Joomla! will FIRST try to process a login authentication THEN process the rest of the request. This means that the load order for Admin Tools protection is FIRST the failed login notification and THEN the secret admin URL parameter, rename admin URL and so on.

However, this is NOT a security issue. If a hacker sends the correct username and password but they do not have the correct administrator secret URL parameter here's what happens. Joomla! sees the valid credentials and thinks "OK, I should switch the session and log them in". But Admin Tools sees the missing URL parameter and says "No, they have to booted off our site's administrator section". The end result? The attacker sees a 302 redirection to the site's front page and they are NOT logged in. It is the same thing that happens when they have the wrong username and password or just the wrong (or missing) secret URL parameter.

I know it's confusing to get this kind of emails, but that's how Joomla! works under the hood. It's something we can't change and even if we could I would still wouldn't touch it. There's a good reason Joomla! has this specific sequence of events taking place under the hood and I agree that it's the correct way to do it from an IT security point of view. The only thing we could do is remove the treat failed logins as security exceptions feature (just like it was several versions ago).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!