[22]Admin folder Location

[baibhav]

Thanx for the nice tips Valc. I saw those.
While trying to find the solution to this problem, my fren suggested to use jsecure.
This plugin didn't popped up while searching in Joomla extensions site. WTH!!!

Everyone in this forums please if you haven't tried this plugin, take a look at it.
But it could have other compatibility issues with other components...Though I haven't faced it yet.
Its been cool...

This "administration " path issue is only a part of security hole in Joomla...I guess....
What about the sql-injection???
As I googled and went through several sites.... found that sql-injection is also possible through various fields in components( even the picture browser) lol...

So whats the short solution for it???

[andrzejk]

I've just solved this problem of how to change the Admin folder location.
Now I test it and if everything will be ok, I describe it.

[Bongo]

>This "administration " path issue is only a part of security hole in Joomla...I guess....
> What about the sql-injection???

Let's take one problem at a time.

Three ideas about hardening the administration:

1) Let it be moved at an arbitrary path makes hacking less easy, good. I'd prefer to have the path in the configuration.php. It takes away any use of relative pathes so alot of stuff has to be rewritten. Maybe something for 1.6?

2) having the administrator folder controlled using .htaccess. Makes it somewhat trickier to install for the newbeginners but adds security since that folder could for instance be made accessible only from a certain ip-range. This sounds doable right now?

3) Optionally moved away completely so it can be accessed from anywhere, even using it's own hostname (preferrably inside NAT away from the world) sounds like a great idea but it needs more thinking. Then you still have controll over what ip (the new machine, virtual or not) accesses the database and the public folders. It takes away any use of relative pathes so alot of stuff has to be rewritten. Maybe something for 2.0?

/Per

[dolito]

Hopefully i understand this!?

You want to change all relative path's to absolute? So what's the problem?

When you installed Joomla in /var/www/joomla the relative path to admin is (we all know) ./administrator. If you would change it to ie. /var/lib/joomla-admin the relative path to admin (from joomla dir) is ../../lib/joomla-admin. Isn't it?

dolito

[koba]

is there any official solution about changing an administrator path name?

[dolito]

is there any official solution about changing an administrator path name?

I think there is an extension in the JED. Use the search function.

dolito

[mirrorball]

If setting the name of any paths within Joomla is to become something that can be set at installation for Joomla 1.6 then would it be possible to have a "random name creation" button that creates a strong directory name with letters, numbers and punctuation (if that's allowable for a directory name)?

[juanparati]

Nice idea! The Joomla administration could be more secure!

[charasoverride]

If you would like to 'sort of' rename your Joomla administrator directory without having to modify any Joomla code or you don't want to have to use htpasswd to protect that directory, you can achieve it the following way.
This may help limit issues for joomla security in the future.

1. Create a new directory in your root directory (eg. "myadmin")
2. Create an index.php file in your "myadmin" directory..

$admin_cookie_code="1234567890";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>

3. Add this to .htaccess of your real Joomla administrator directory

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=1234567890
RewriteRule .* - [L,F]

To enter your Joomla administration page, you point your browser to "http://yoursite.com/myadmin/" The php code will set a cookie that expires at the end of the session and redirect you to your real administration page. No one will be able to load anything from the administrator directory without having gone through the "myadmin" directory first.

Needless to say, you would choose another directory name for "myadmin" and change the cookie code "1234567890" to something else. Security through obfuscation is no substitute for the real thing but this might make you feel a little better.

[hungover]

if this a double post then apologies (sodding free wifi in this pub logs you out and forces you to re-log in .


Just wanted to thank charasoverride

It works!!!! Just remember to make sure that you have no spaces before the <php? declaration otherwise you will get "headers already sent errors"

I plan to use this on any cms/cart/forum that doesn't allow admin path renaming.

Other than lucky guesses what are the potential pitfalls of this technique?

Once again thanks!!!!