khorton wrote:Wow! I didn't know that. It boggles the mind why the current behaviour is considered "good enough". Thanks for educating me.
The lack of an auto-update feature (and the apparent reluctance to even consider adding one) and this lack of a proper off-line mode have started me wondering whether Joomla was the right choice. I've got to make a new site for a small business that I am starting in the spring, and maybe it is time to investigate other CMSs.
Well, stop your horses there.
First of all, I don't see a point of offline-mode if the update goes south. The failed auto-update could even break the offline-mode functionality, so you can't count on it completely. There should be a better "Plan B".
On the
offtopic subject, there is no reason for panic here.
Offline-Mode is not meant as a security feature, nor is a vulnerability, nor a bad functionality. It's considered good enough for something it is really meant to do - prevent users from
seeing your website content while you change design, or do other maintenance work. That's all. And not to prevent access to Joomla's functionality, it's not declared to do that. Maybe a name of the functionality can be missunderstood, but that doesn't justify a webmaster not reading the documentation.
And all that is well documented in the Documentation website
https://docs.joomla.org/Taking_the_webs ... ly_offline . The documentation doesn't promise anything more than a "website completely unavailable to visitors".
Also, it clearly states
"The site may be parsable by bots, search engines and other direct call methods". And furthermore suggests a password protection of the whole webdir as a solution. That approach with password protection is a proper solution, not the IP-based blocking. As you mentioned, dynamic IP's for the normal users are a common thing. If the appearance of the offline message is also important, that can also be accomplished using the HTTP daemon (Apache, Nginx ...) directives. (Interestingly enough, the same author had a flame war against me recently in which he stated that blocking by IP is useless. Go figure).
For a perspective, WP doesn't even have an "offline-mode" switch in the core, you need a 3rd-pty plugin. Drupal has a "maintenance mode" switch. For both competing CMS-es their "offline mode" works pretty the same way as the subject Joomla functionality.
And finally, a technical problem. From one PHP file you can't prevent access to another independent PHP file (apart of updating eg. a Htaccess file). It has to be done on a higher level, by HTTP daemon, eg. as explained above. So it's nothing Joomla can even fix directly in PHP code itself, except moving main check to the main index.php files to prevent framework from running. But that would prevent template rendering with offline message rendered using template design ...
Joomla has done more than enough by implementing and enforcing protection against direct execution of any other PHP file contained into the CMS (excluding 3rd pty extensions, which can sneak in not adhering to this principle). This level of direct access protection isn't present in other "major-league" CMS-es mentioned above.
As a side note, since the article was "Published in 2011 February", if "offline mode" was a security issue needing fixing according to the author, then the JSST or PLT should have fixed it in last 5 years, right? The article author is a member of JSST, so if you have further concerns about it you can ask any of those teams or author himself.
My point is - if you want to prevent any PHP file to be accessed, you can't expect Joomla to prevent it, it's technically impossible. HTTP server should prevent PHP from running. That's why we in Security subforum suggest pasword-protecting the folder of the hacked website, not just setting it in "Offline Mode".
OK, and now, can we get back on the subject ?