All Joomla cms installations have /administrator as login url for the admin part.
Creates a security risk. The administrator url should be configurable by the superuser at installation.
csm system is open for hacker attacks
All versions
see the discussion here
https://www.linkedin.com/groups/52867/52867-6381740900460167169
Labels |
Added:
?
|
If a simple plugin can achieve this, like adminexile, why isn't a feature like this not part of the core?
There is a difference in obscuring the URL (which looking at the plugin code /administrator
is still accessible but redirects to the frontend unless you're authenticated, there is a 404 configuration in the plugin it seems but this is also pretty easily identifiable based on the code, so it's really not as effective as it might appear) and moving the directory in full so that /administrator
creates what most users would expect in this case, a 404.
Put it this way, to properly change the /administrator
URL means changing the filesystem structure. Plugins like AdminExile don't actually "fix" the problem, they mask it in a way where the untrained eye wouldn't notice it. The plugin won't fix trying to check if /administrator/templates/system/css/system.css
exists (it has since 1.5.0) or administrator/manifests/files/joomla.xml
(since 1.6.0) because AdminExile won't catch requests the web server will serve for physical files that exist in the filesystem.
Status | New | ⇒ | Discussion |
Category | ⇒ | Administration |
Thanks for the comments, Michael, i just want to point out here that it's something to think about if we want to make Joomla safer.
As you can read in the discussion and comments on linkedin, it's something that came up out of experiences with building and managing Joomla cms driven sites for many years.
Even 'masking' the administrator url would make the cms in practice safer.
Hacker attacks on the admin login Are out there..
It doesnt make the site safer
In addition blocking access to the admin interface should not be done with php (like adminexile and others) as it would be possible for a determined hacker to create a ddos this way. It should only be blocked at the server level with an htaccess rule (on apache) or similar.
Even 'masking' the administrator url would make the cms in practice safer.
Minimally if at all.
To change the administrator URL without requiring filesystem changes means removing the physical administrator directory, a major rewrite of the system. To change the administrator URL with moving the physical administrator directory involves a major rewrite of the system in addition to writing more tooling to address the ability to move the directory (and the action of moving it will break any and all code which writes out a path including the directory, we are not going to write or require users have a PHP extension which parses files to account for this).
Yes, there are attacks on the admin login page, and admin area in general. There are more attacks on the frontend login path, and various frontend facing components using either common exploit patterns or known exploits in hopes someone hasn't upgraded a vulnerable element. I can give you log files from several non-Joomla and WordPress applications where on a daily basis they are full of 404 requests for Joomla and WordPress frontend assets (incidentally the number of requests for those platforms admin sections is much lower, if existent at all, because Joomla's /administrator
requests and WordPress' /wp-admin
requests will redirect back to login early in the request preventing potential vulnerable code from even being triggered so unless the hacker has a way to authenticate the only thing of value they're going to get out of targeting the admin application is a potential DDoS unless they have access to a compromised account).
Closed as the question has been answered
Status | Discussion | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-03-23 22:44:23 |
Closed_By | ⇒ | brianteeman |
Because it is a physical directory (so there's no routing like the frontend available because the server physically loads
administrator/index.php
)Because allowing changes in the application's file structure creates more problems than benefits (trying to extract core update packages, trying to extract extension packages, having to create mapping layers for non-PHP resources which reference physical file paths (i.e. form XML definitions))
Because it is ultimately a "security through obscurity" tactic that doesn't provide much security at all (if you want to mask the fact that your site is running Joomla then you need to move the administrator directory, ensure the
component/<component_name>
routing schema is inaccessible on your site, break themedia
andtemplates
directory paths for loading frontend media, remove the Joomla meta generator tag, etc.); the vast majority of individuals attacking websites aren't taking the time to identify the platform it's running on first, they're just unleashing known attack vectors and hoping something sticks