Support

Admin Tools

#20866 admin secret url discovery

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 05 September 2014 08:56 CDT

Friday, 05 September 2014 04:04 CDT

speru
 Admin tools is an exceptional component and should be the first component installed on every Joomla site. I have used it for many years and it has proved invaluable.

This question relates to the discovery of the admin secret url parameter.
I have configured a secret parameter and also added my (fixed) ip to the admin whitelist.
I know that accessing the admin area from my ip circumvents the secret url parameter as I am in the white list, however, I am seeing attempts on the admin page that now include my secret url parameter. These are being succesfully intercepted by admin tools (becasue of the ip whitelist) and logged as security exceptions and blocked.

As my secret url parameter is a long random text string it seems unlikely that this would be guessed, so my question is how are they revealing the parameter?

As access attempts are currently being blocked because of the admin ip whitelist it is not currently a security breach. However, when I travel and need to access the site from other locations, I uncheck the 'allow only access via the admin whitelist' (as I do not know what the ip might be)
In that event, discovery of the secret url parameter is an issue.

Very Best Regards
Graham

Friday, 05 September 2014 04:50 CDT

nicholas
Browser extensions can steal your otherwise secret URLs. Read the complete horror story in http://arpitnext.com/chrome-extension-awesome-screenshot/ I think you got pwned by a browser extension or some other seemingly innocuous software running on your computer, secretly subverting the URLs you visit to a shady entity. If you thought that moles and double agents only belong in cop & spy flicks, think again.

Also note that in the case of Awesome Screenshot mentioned in this article you don't even have to use it. All it takes is have it installed on your site. It will report all of the URLs you are visiting, not just the ones you took a screenshot with it. Sadly, it's not the first or the last shady software, just the most installed one.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 05 September 2014 05:46 CDT

speru
I am running Ubuntu and Firefox with webdeveloper and adblock edge extensions. I tend to be quite paranoid about security and whilst I hear what you are saying, it is interesting that of the twenty sites I run, only one has had the secret admin url compromised.
I will investigate further, but you are confident that the url parameter cannot be discovered from the site itself, but only by security leakage at my end.
Many thanks for your prompt reply

Graham



Friday, 05 September 2014 08:56 CDT

nicholas
Nothing stops someone from trying to guess it, i.e. try different URLs until they get a login page. However, you should have seen a lot of requests until someone hit the jackpot. Perhaps there are other people who have back-end access to the site who have shady extensions / malware installed on their computer?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!