I updated Admin Tools to version 3.6.2 and recognize now that the 'Administrator Secret URL Parameter' do not work - it will be passed always. First I thought this is caused by the IP whitelist but I disable this feature with the same negativ result. Do you have an advice for me?
#23415 Secret URL parameter do not work
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by nicholas on Friday, 09 October 2015 02:58 CDT
Thursday, 08 October 2015 09:20 CDT
nicholas
Akeeba Staff
Manager
It actually does work, as I can tell from our own site, my blog and all the dev sites I have on various servers – not to mention the automated tests.
Just to clarify, if your user session is still active then indeed the Administrator Secret URL Parameter check is skipped since the session flag which tells us that the correct parameter is entered is already present.
This session related exception from checking also applies when you are logging out of the back-end of your site. The flag is set after logging you out to prevent a security exception being raised every time you simply log out of your site. For this reason it's best to clear your cookies, or use a browser which has never logged in to your site before, to test whether this feature actually does work.
Moreover, if your IP address is present in the "Do not block these IPs" list OR if the domain name to which your IP address resolves is listed in the "Whitelisted domains" then the check is not applied to you.
Apart from that you must make sure that the "System - Admin Tools" plugin is enabled and published as the first system plugin for the check to work properly.
Just to clarify, if your user session is still active then indeed the Administrator Secret URL Parameter check is skipped since the session flag which tells us that the correct parameter is entered is already present.
This session related exception from checking also applies when you are logging out of the back-end of your site. The flag is set after logging you out to prevent a security exception being raised every time you simply log out of your site. For this reason it's best to clear your cookies, or use a browser which has never logged in to your site before, to test whether this feature actually does work.
Moreover, if your IP address is present in the "Do not block these IPs" list OR if the domain name to which your IP address resolves is listed in the "Whitelisted domains" then the check is not applied to you.
Apart from that you must make sure that the "System - Admin Tools" plugin is enabled and published as the first system plugin for the check to work properly.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 09 October 2015 02:19 CDT
kuk
Thank you for the quick answer. I know this but I thought that your tool makes a difference between frontend and backend access. I use the IP whitelist to limit the access to our internal network. But my editors can login only via the frontend. I do not see the logic behind why you bypass the access to the backend. For me it is a good and useful security feature. Possible hacks do not come from outside alone. :)
Nevertheless I recognize this vulnerability now. Please close this ticket.
Nevertheless I recognize this vulnerability now. Please close this ticket.
Friday, 09 October 2015 02:58 CDT
nicholas
Akeeba Staff
Manager
Sorry, I think you misunderstood me.
Joomla! has TWO DISTINCT APPLICATIONS: the front-end and the back-end. Each application has a DISTINCT session. If you are logged in to the front-end you DO NOT get access to the backend and you DO NOT bypass the secret URL parameter!!!!
I believe that the other thing you do not understand –possibly because of the language barrier– is that the secret URL parameter only applies to logging in to the back-end, e.g. http://www.example.com/administrator/index.php. It does NOT apply to logging in to the front-end. The front-end, unlike the back-end, does NOT have a single point of login. Furthermore, you can have different kinds of users logging in to the front-end, e.g. plain Registered users. You cannot block the login for them.
This is NOT a vulnerability!!!!!!!!!!!!!!!!!!!!!!! Choose your words much better next time. A vulnerability is an UNINTENDED method of bypassing access COMPLETELY and being able to carry out privileged operations. Displaying the login page is NOT a privileged operation. The login page is PUBLIC.
If you are worried that someone might steal your front-end managers' credentials (login and password) you MUST enforce the use of Two Factor Authentication. This is a feature we wrote and has been included in Joomla! since version 3.2.0.
Joomla! has TWO DISTINCT APPLICATIONS: the front-end and the back-end. Each application has a DISTINCT session. If you are logged in to the front-end you DO NOT get access to the backend and you DO NOT bypass the secret URL parameter!!!!
I believe that the other thing you do not understand –possibly because of the language barrier– is that the secret URL parameter only applies to logging in to the back-end, e.g. http://www.example.com/administrator/index.php. It does NOT apply to logging in to the front-end. The front-end, unlike the back-end, does NOT have a single point of login. Furthermore, you can have different kinds of users logging in to the front-end, e.g. plain Registered users. You cannot block the login for them.
This is NOT a vulnerability!!!!!!!!!!!!!!!!!!!!!!! Choose your words much better next time. A vulnerability is an UNINTENDED method of bypassing access COMPLETELY and being able to carry out privileged operations. Displaying the login page is NOT a privileged operation. The login page is PUBLIC.
If you are worried that someone might steal your front-end managers' credentials (login and password) you MUST enforce the use of Two Factor Authentication. This is a feature we wrote and has been included in Joomla! since version 3.2.0.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!