?
avatar JSWebdesign
JSWebdesign
21 Mar 2018

Steps to reproduce the issue

All Joomla cms installations have /administrator as login url for the admin part.

Expected result

Creates a security risk. The administrator url should be configurable by the superuser at installation.

Actual result

csm system is open for hacker attacks

System information (as much as possible)

All versions

Additional comments

see the discussion here
https://www.linkedin.com/groups/52867/52867-6381740900460167169

avatar JSWebdesign JSWebdesign - open - 21 Mar 2018
avatar joomla-cms-bot joomla-cms-bot - change - 21 Mar 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 21 Mar 2018
avatar mbabker
mbabker - comment - 21 Mar 2018
  • Because it is a physical directory (so there's no routing like the frontend available because the server physically loads administrator/index.php)

  • Because allowing changes in the application's file structure creates more problems than benefits (trying to extract core update packages, trying to extract extension packages, having to create mapping layers for non-PHP resources which reference physical file paths (i.e. form XML definitions))

  • Because it is ultimately a "security through obscurity" tactic that doesn't provide much security at all (if you want to mask the fact that your site is running Joomla then you need to move the administrator directory, ensure the component/<component_name> routing schema is inaccessible on your site, break the media and templates directory paths for loading frontend media, remove the Joomla meta generator tag, etc.); the vast majority of individuals attacking websites aren't taking the time to identify the platform it's running on first, they're just unleashing known attack vectors and hoping something sticks

avatar JSWebdesign
JSWebdesign - comment - 21 Mar 2018

If a simple plugin can achieve this, like adminexile, why isn't a feature like this not part of the core?

avatar mbabker
mbabker - comment - 21 Mar 2018

There is a difference in obscuring the URL (which looking at the plugin code /administrator is still accessible but redirects to the frontend unless you're authenticated, there is a 404 configuration in the plugin it seems but this is also pretty easily identifiable based on the code, so it's really not as effective as it might appear) and moving the directory in full so that /administrator creates what most users would expect in this case, a 404.

avatar mbabker
mbabker - comment - 21 Mar 2018

Put it this way, to properly change the /administrator URL means changing the filesystem structure. Plugins like AdminExile don't actually "fix" the problem, they mask it in a way where the untrained eye wouldn't notice it. The plugin won't fix trying to check if /administrator/templates/system/css/system.css exists (it has since 1.5.0) or administrator/manifests/files/joomla.xml (since 1.6.0) because AdminExile won't catch requests the web server will serve for physical files that exist in the filesystem.

avatar franz-wohlkoenig franz-wohlkoenig - change - 21 Mar 2018
Status New Discussion
avatar franz-wohlkoenig franz-wohlkoenig - change - 21 Mar 2018
Category Administration
avatar JSWebdesign
JSWebdesign - comment - 21 Mar 2018

Thanks for the comments, Michael, i just want to point out here that it's something to think about if we want to make Joomla safer.
As you can read in the discussion and comments on linkedin, it's something that came up out of experiences with building and managing Joomla cms driven sites for many years.
Even 'masking' the administrator url would make the cms in practice safer.
Hacker attacks on the admin login Are out there..

avatar brianteeman
brianteeman - comment - 21 Mar 2018

It doesnt make the site safer

In addition blocking access to the admin interface should not be done with php (like adminexile and others) as it would be possible for a determined hacker to create a ddos this way. It should only be blocked at the server level with an htaccess rule (on apache) or similar.

avatar mbabker
mbabker - comment - 21 Mar 2018

Even 'masking' the administrator url would make the cms in practice safer.

Minimally if at all.

To change the administrator URL without requiring filesystem changes means removing the physical administrator directory, a major rewrite of the system. To change the administrator URL with moving the physical administrator directory involves a major rewrite of the system in addition to writing more tooling to address the ability to move the directory (and the action of moving it will break any and all code which writes out a path including the directory, we are not going to write or require users have a PHP extension which parses files to account for this).

Yes, there are attacks on the admin login page, and admin area in general. There are more attacks on the frontend login path, and various frontend facing components using either common exploit patterns or known exploits in hopes someone hasn't upgraded a vulnerable element. I can give you log files from several non-Joomla and WordPress applications where on a daily basis they are full of 404 requests for Joomla and WordPress frontend assets (incidentally the number of requests for those platforms admin sections is much lower, if existent at all, because Joomla's /administrator requests and WordPress' /wp-admin requests will redirect back to login early in the request preventing potential vulnerable code from even being triggered so unless the hacker has a way to authenticate the only thing of value they're going to get out of targeting the admin application is a potential DDoS unless they have access to a compromised account).

avatar brianteeman
brianteeman - comment - 23 Mar 2018

Closed as the question has been answered

avatar brianteeman brianteeman - close - 23 Mar 2018
avatar brianteeman brianteeman - change - 23 Mar 2018
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2018-03-23 22:44:23
Closed_By brianteeman

Add a Comment

Login with GitHub to post a comment