Administrator Directory access from front end.

  • sneadm
  • sneadm's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
1 year 9 months ago #10539 by sneadm
sneadm created the topic: Administrator Directory access from front end.
I am using Akeeba's Admin tools on my site to provide password protection for the Administrator Directory. Unfortunately, your module and plug-in attempt to access assets in the Administrator Directory when invoked from the front end causing a request for user authentication. The offending gets from the module are:
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 2ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 5ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]

And from the plugin:

GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 10ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]

According to Akeeba documentation:

More specifically, Joomla! extensions are not supposed to load anything from the administrator area of your site in the front-end. However, some badly written extensions try to access static media files (CSS, Javascript, images) from directories inside the administrator directory. On notorious example is the Zoo CCK extension. Since all of the contents of your administrator directory are protected with a username/password, your browser will prompt you for one as soon as it is instructed to download a file from that protected directory or any of its subdirectories.

There are two workarounds:

1) Disable the administrator password protection. This degrades your site's security but is the easiest and most immediate change.

2) Consult the developer of the offending extension and explain to him that loading files from the administrator area of the component in the front-end of the site is insecure and he has to resolve this issue. Hopefully, developers will realize that this practice is unsafe and fix their software.

I have done option one and am asking your to implement option two in your software.

Thank-you,
Mark

Please Log in or Create an account to join the conversation.

More
1 year 9 months ago #10540 by Dima
Dima replied the topic: Administrator Directory access from front end.

Don't forget support my developments: post review in JED, donate ;)

Post your sites as examples into my directory
Google: forum.zhuk.cc/index.php/forum/gm-user-s-sites
Yandex: forum.zhuk.cc/index.php/forum/ym-user-s-sites
Baidu: forum.zhuk.cc/index.php/forum/bdm-user-s-sites

Please Log in or Create an account to join the conversation.

Time to create page: 0.054 seconds

Donate


Go to top