Support

Please go to Components, Admin Tools, .htaccess Maker and set the "Disable HTTP methods TRACE and TRACK (protect against XST)" option to No. Then click on "Save & Create .htaccess" in the toolbar.

Um, the -- setting does exactly the same thing as the No setting when you regenerate the .htaccess file :) Namely, both -- and NO will simply not output the block of code for disabling the HTTP methods TRACE and TRACE in the generated .htaccess.

Sorry, I did not make it clear for you. The two issues are unrelated. You had two issues:

1. Your server doesn't support the .htaccess directives which are placed in the generated .htaccess when "Disable HTTP methods TRACE and TRACK (protect against XST)" is set to Yes.

2. By using .htaccess Maker the badly coded WidgetKit by YooTheme –which is known to be broken and despite our explanation to them on WHY it is broken and HOW they should fix it remains broken for the last 5 years– does not work.

We have already fixed issue #1. So forget about it.

Regarding problem #2: YooTheme is stupidly trying to load JS and CSS files from the cache folder of your site. This folder is supposed to NOT be accessible over the web. In fact, it is intended to be moved outside the site's root whenever possible. YooTheme blatantly ignores that fact even though we have repeatedly and explicitly told them and tries to load files directly off the cache directory. However, .htaccess Maker's Front-end Protection feature correctly blocks any access to that directory.

If you want to solve this problem you can go to Components, Admin Tools, .htaccess Maker, find the "Allow direct access, except .php files, to these directories" box and enter the following in a new line:

cache/widgetkit

Then click on Save and Create .htaccess.

If this does not help please give me a list of the sub-directories inside your site's cache folder. I don't have WidgetKit to verify the cache subfolder myself right now and I'm instead replying based on my memory.

You're welcome!

Actually YooTheme knows jack shit about how Joomla! works. As I have explained to them in different occasions, Joomla! allows you to override defines.php in your site's root, administrator directory and cli directory. One of the constants in there is JPATH_CACHE which defines the absolute path of the cache directory. Any CORRECTLY WRITTEN extension for Joomla! will use either the JCache API or the JPATH_CACHE constant, therefore will be able to use a cache folder stored outside the site's root.

As a matter of fact the cache folder is NOT meant to be web accessible. Cache, log and temporary paths (default: cache, logs, tmp) are NOT meant to be web accessible since Joomla! 1.5, period. This is why Joomla! provide the media directory which is meant to contain web accessible files belonging to or generated by the installed extensions. As opposed to the images directory which is supposed to contain web accessible files uploaded by the user (not owned or created by extensions).

Furthermore it should stand to plain old common sense that the contents of the cache directory ARE NOT SUPPOSED TO BE WEB ACCESSIBLE. The cache will contain privileged information such as entire pages generated for logged in users (that are not meant to be publicly visible!), database query results or stats that are not, repeat NOT, meant to be accessible to any random person on the Internet. As a first line of defense Joomla! does offer index.html files and its default .htaccess and web.config files disable listing directory contents but this is not sufficient. If I know that you have com_foobar installed I can always try to browse cache/com_foobar and see what information I can gather. More often than not hackers strike gold by doing that (as long as Joomla!'s caching is enabled). That's why the .htaccess Maker automatically blocks access to the cache directory which is NOT meant to be web accessible.

All of the above is public information since January 2007, i.e. eight and half years ago. It is the umpteenth time I have to write this with regards to a misinformed response by YooTheme's support staff. For years on end they do not fix their code to use the media folder as it should and insist on doing it wrong. For this reason we strongly warn our clients against using their templates and extensions. They are NOT written with security in mind and we cannot, in good conscience, recommend their continued use. They do create subtle security holes which, while not directly exploitable under "normal conditions", can be leveraged in conjunction with another vulnerability in third party or core code to compromise your site.

As for getting hacked under "very particular circumstances" this is utter bollocks, if you excuse my French. Of course under regular conditions your site can't be hacked. We are talking about what happens if someone gets write access to that directory through another hacked site on the same server or a vulnerability in an extension allowing files to be created in predictable locations. This is how most sites get hacked, actually.