- Posts: 5
- Thank you received: 0
Administrator Directory access from front end.
- sneadm
- Topic Author
- Offline
- New Member
Less
More
8 years 4 months ago #10539
by sneadm
Administrator Directory access from front end. was created by sneadm
I am using Akeeba's Admin tools on my site to provide password protection for the Administrator Directory. Unfortunately, your module and plug-in attempt to access assets in the Administrator Directory when invoked from the front end causing a request for user authentication. The offending gets from the module are:
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 2ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 5ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
And from the plugin:
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 10ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
According to Akeeba documentation:
More specifically, Joomla! extensions are not supposed to load anything from the administrator area of your site in the front-end. However, some badly written extensions try to access static media files (CSS, Javascript, images) from directories inside the administrator directory. On notorious example is the Zoo CCK extension. Since all of the contents of your administrator directory are protected with a username/password, your browser will prompt you for one as soon as it is instructed to download a file from that protected directory or any of its subdirectories.
There are two workarounds:
1) Disable the administrator password protection. This degrades your site's security but is the easiest and most immediate change.
2) Consult the developer of the offending extension and explain to him that loading files from the administrator area of the component in the front-end of the site is insecure and he has to resolve this issue. Hopefully, developers will realize that this practice is unsafe and fix their software.
I have done option one and am asking your to implement option two in your software.
Thank-you,
Mark
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 2ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 5ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
And from the plugin:
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/css/common.css [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 10ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/utils/loading.gif [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
GET
http://localhost/pacecenter.org/administrator/components/com_zhgooglemap/assets/icons/%23default_pace_icon.png [HTTP/1.1 401 Authorization Required 1ms]
According to Akeeba documentation:
More specifically, Joomla! extensions are not supposed to load anything from the administrator area of your site in the front-end. However, some badly written extensions try to access static media files (CSS, Javascript, images) from directories inside the administrator directory. On notorious example is the Zoo CCK extension. Since all of the contents of your administrator directory are protected with a username/password, your browser will prompt you for one as soon as it is instructed to download a file from that protected directory or any of its subdirectories.
There are two workarounds:
1) Disable the administrator password protection. This degrades your site's security but is the easiest and most immediate change.
2) Consult the developer of the offending extension and explain to him that loading files from the administrator area of the component in the front-end of the site is insecure and he has to resolve this issue. Hopefully, developers will realize that this practice is unsafe and fix their software.
I have done option one and am asking your to implement option two in your software.
Thank-you,
Mark
Please Log in or Create an account to join the conversation.
- Dima
- Offline
- Platinum Member
8 years 4 months ago #10540
by Dima
Don't forget support my developments: post review in JED , donate , help with translation
Replied by Dima on topic Administrator Directory access from front end.
Hi Mark
Do you read my docs?
wiki.zhuk.cc/index.php/Zh_GoogleMap_Trou...en_map_is_displaying
wiki.zhuk.cc/index.php/Zh_GoogleMap_Desc...ibilityModeRSFAnchor
I think it will fix your problem.
Do you read my docs?
wiki.zhuk.cc/index.php/Zh_GoogleMap_Trou...en_map_is_displaying
wiki.zhuk.cc/index.php/Zh_GoogleMap_Desc...ibilityModeRSFAnchor
I think it will fix your problem.
Don't forget support my developments: post review in JED , donate , help with translation
Please Log in or Create an account to join the conversation.
Time to create page: 0.170 seconds