Preventing frontend login

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
comduit
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Tue Dec 20, 2005 11:52 am

Preventing frontend login

Post by comduit » Wed Aug 13, 2008 11:07 am

The latest security patch has made me think there's no way (that I've figured out) in J1.5.x to prevent front-end login. You can disable the login module but this does not prevent someone from directly typing index.php?option=com_login. I even tried creating a menu item for that Url, unpublishing it and forcing it to 'Special' user access - neither appeared to work in my test case.

I think that such a setting that prevented any actions related to front-end user activity would be useful for sites that do not require front-end login.

Any ideas? (while I go and apply this patch to all our 1.5 sites...)

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: Preventing frontend login

Post by twcmex » Wed Aug 13, 2008 1:20 pm

I wonder if password protecting the com_user directory would hinder normal operation (other than render logins un useable)....going to test
-Joe

User avatar
nickn5
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 125
Joined: Fri Aug 08, 2008 9:37 pm
Location: Wales, UK

Re: Preventing frontend login

Post by nickn5 » Wed Aug 13, 2008 2:13 pm

Yes, if you .htaccess and .htpasswd the com_user directory, then perhaps you could stop anyone except admin (who knows the password) getting into the login pages...? Might be worth trying.

N. :)
http://www.nicspics.eu - Photo Galleries, Reviews and Articles (Site in development)

tranphungan
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Fri Aug 15, 2008 1:50 pm

Re: Preventing frontend login

Post by tranphungan » Fri Aug 15, 2008 2:37 pm

i think you can modifier controller.php file.

comduit
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Tue Dec 20, 2005 11:52 am

Re: Preventing frontend login

Post by comduit » Fri Aug 15, 2008 2:38 pm

There is a way... I've just read this article by Sam Moffatt called Help protect your Web site using 5 easy-to-implement ideas.

His first idea is:
Sam Moffatt wrote:In the Administrator, navigate to Extensions -> Install/Uninstall, then select Components and disable the User Component. In my system, this option is towards the bottom of the list and it is also protected so that you can't uninstall it. However, you can disable this Component which will prevent users from logging into the front end of the site and it will completely disable Registration. If you decide to use front end Logins later, simply re-enable this Component.

Following this process prevents users from getting directly to the front end Login Form via a link similar to index.php?option=com_user&view=login or index.php?option=com_login, if Legacy Mode is enabled.
Nice one! I would say it's worth disabling all components that are not used - just remember to test first!


Locked

Return to “Security in Joomla! 1.5”