Password protect directory [solved]

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Password protect directory [solved]

Post by changlee » Thu Jul 17, 2014 12:24 pm

Hello dear Joomlers,
I am using password protect directory through cPanel. But after the Joomla 3.3.1 updates, when eg someone clicks on mywebsite.com/administrator he gets 404 ERROR.

If I disable the Password Protect Directory, the /administrator url works perfect.

What have I to modify to .htaccess for best security?

Thanks a lot!
Last edited by mandville on Sat Aug 23, 2014 11:35 am, edited 1 time in total.
Reason: marked as solved
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Thu Jul 17, 2014 4:07 pm

It would be more helpful if you would post the contents of your .htaccess related to htpasswd protection.
Also take a look at your account's Error Log, there should be some kind of info what path triggered 404 response.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Fri Jul 18, 2014 6:30 am

The .htaccess is the same like the Joomla 3 new installation folder.

The protection is set through the cPanel undet Password Protect Directory. After enabling that, I get ERROR 404 in my /administration URL.

What can I post you?

Thank you for your reply.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15058
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Password protect directory

Post by mandville » Fri Jul 18, 2014 10:56 am

if the hta is the same then there may not be set correct
try these instructions
http://docs.cpanel.net/twiki/bin/view/A ... irectories
http://www.siteground.com/tutorials/cpa ... tories.htm
or use a tool like admintools to set it for you
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Fri Jul 18, 2014 12:12 pm

Dear Mandville,
I am creating the protection exactly as you said.

But the .htaccess from J 3.0.1 is not causing the 404Error, only the J3.0.3
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15058
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Password protect directory

Post by mandville » Fri Jul 18, 2014 12:15 pm

You should be using the latest version of joomla.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Fri Jul 18, 2014 1:47 pm

Yes, at my last versions installed, I am facing that problem.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Sun Jul 20, 2014 5:25 pm

changlee wrote: But the .htaccess from J 3.0.1 is not causing the 404Error, only the J3.0.3
The newest version is 3.3.1, not 3.0.3

I have just tested on cPanel 11 and Joomla 3.3.1, had no problems at all to lock /administrator directory down using cPanel generated htpasswd protection.

* Please test it again at your side, and take a look what the Error Log says in the time when you get your 404 error. You can post it here.
* Post a content of your /administrator/.htaccess file, so we can see anything unusual
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20316
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Password protect directory

Post by leolam » Wed Jul 23, 2014 4:46 am

This is caused by the way how your Apache is compiled on your server iin combination with your .htaccess file in the public_html folder of your site.

You can see this happening is you rename .htaccess to htaccess.txt you will see that the popup of the admin protection jumps up as expected.

(You see this also happening on Wordpresss sites with permalinks)

You can resolve this very easy. Open your .htaccess in the root of your site and find
around line 70 this line

Code: Select all

RewriteRule .* index.php [L]
and change that line to

Code: Select all

RewriteRule ./ /index.php [L]
and your issue will be resolved

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Wed Jul 30, 2014 9:56 am

I updated to the latest version and everything works great. The protection causes NO problems.

I will inform you if something happens again.

Thank you so much for your response.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Wed Jul 30, 2014 4:15 pm

That's obviously another "nice" Cpanel quirk!
I didn't notice such behavior on other webhosting panels
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Thu Jul 31, 2014 1:20 pm

I do not think that it was cPanel issue. I think that the problem was the /public_html/test installation folder.

In /public_html/ was another older Joomla installation where it thought that /public_html/test was an error404 because it was protected.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Thu Jul 31, 2014 5:14 pm

Either way, it's important you found your solution. Please mark your post as "solved"
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Thu Jul 31, 2014 6:18 pm

This problem happened again, when I renamed the htaccess.txt and disabled the /index.php/ through rewrite mod.
leolam wrote:...

You can resolve this very easy. Open your .htaccess in the root of your site and find
around line 70 this line

Code: Select all

RewriteRule .* index.php [L]
and change that line to

Code: Select all

RewriteRule ./ /index.php [L]
and your issue will be resolved

Leo 8)
When I did that, the /administrator worked perfect, with protection too. But the whole webiste caused not found except the main index.php
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Thu Jul 31, 2014 7:39 pm

#1
BernardT wrote: * Post a content of your /administrator/.htaccess file, so we can see anything unusual
#2 - Is it original htaccess.txt ?


P.S. this recommended line is a bit strange, I don't see any need for / after .
#3 - Try this instead, maybe it helps

Code: Select all

RewriteRule . /index.php [L]
#4 - Take a look into your error.log file, and post errors related to redirect, if any
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Fri Aug 01, 2014 6:24 am

With that modification, did not changed anything. The /administrator became 404 ERROR again, after enabling the password protect directory.

My .htaccess is attached.

I am also attaching my error_log file.

Thank you so much for your response.
You do not have the required permissions to view the files attached to this post.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Fri Aug 01, 2014 11:18 pm

It is a standard htaccess.txt that you uploaded. I was interested in /administrator/.htaccess, please post that one.

In .htaccess placed in webroot, did you try to change

Code: Select all

RewriteRule .* index.php [L]
to

Code: Select all

RewriteRule .* /index.php [L]
OR
RewriteRule . /index.php [L]
?

Error.log doesn't show any problems, please take a look at access.log in the time when 404 happens, there you could find to what URL the rewrite was redirecting.

Also, please post FPA, or at least check if your server runs PHP as Apache module, some CGI variant, or something else.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Thu Aug 07, 2014 8:01 am

Hello dear BernardT,
My /administrator .htaccess include:

Code: Select all

AuthName "administrator"
AuthUserFile "/home/mescanf/.htpasswds/public_html/administrator/passwd"
I tried both RewriteRule .* /index.php [L] OR RewriteRule . /index.php [L], but the problem remains.

When I password protect the /administrator directory, then the http://www.manifest-security.gr/administrator/ shows ERROR 404.

How can I post you FPA here? I remind that other Joomla3 installed websites in my server load perfect the password directory protection. It happend at before Joomla3.3.3 version installed.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Thu Aug 07, 2014 5:50 pm

FPA instructions http://forum.joomla.org/viewtopic.php?f=714&t=793531

I know your joomla works fine. From FPA I only need the Apache and PHP environment and version information.

I will try again to reproduce your problem
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Mon Aug 11, 2014 6:19 am

Here is my FPA:
[Mod . Reposted below ]
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 11th August 2014 wrote:[11-Aug-2014 06:21:26 UTC] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /home/mescanf/public_html/fpa-en.php on line 571
Forum Post Assistant (v1.2.4) : 11th August wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.3.3-Stable (Ember) 25-July-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: 662 (uid: /gid: ) | Group: 663 (gid: ) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: | OS Version: | Technology: | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/mescanf/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 6143 | Log Errors To: error_log | Last Known Error: 11th August 2014 06:21:26. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 120 | Max. Execution Time: 60 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.36-cll (Client:5.5.36) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 9.92 MiB | #of Tables:  79
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.29) | date (5.4.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | SPL (0.2) | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | session () | mysql (1.0) | mysqli (0.1) | standard (5.4.29) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | SimpleXML (0.1) | sockets () | imap () | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | ionCube Loader () | Zend OPcache (7.0.3FE) | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_checkin (3.0.0) | com_users (3.0.0) | com_admin (3.0.0) | com_search (3.0.0) | com_login (3.0.0) | com_ajax (3.2.0) | com_menus (3.0.0) | com_joomlaupdate (3.0.0) | com_weblinks (3.0.0) | com_banners (3.0.0) | com_finder (3.0.0) | com_redirect (3.0.0) | com_messages (3.0.0) | com_newsfeeds (3.0.0) | com_modules (3.0.0) | com_languages (3.0.0) | com_media (3.0.0) | com_content (3.0.0) | com_tags (3.1.0) | com_proforms (1.3) | com_cache (3.0.0) | com_plugins (3.0.0) | com_templates (3.0.0) | com_postinstall (3.2.0) | com_cpanel (3.0.0) | com_categories (3.0.0) | com_installer (3.0.0) | com_config (3.0.0) | com_contenthistory (3.2.0) |

Modules :: SITE :: FavImageHover (1.5) | mod_languages (3.0.0) | mod_articles_latest (3.0.0) | FavSlider Responsive Slideshow (1.4) | mod_users_latest (3.0.0) | mod_articles_categories (3.0.0) | mod_articles_popular (3.0.0) | mod_articles_archive (3.0.0) | mod_whosonline (3.0.0) | mod_feed (3.0.0) | mod_finder (3.0.0) | VS Image Rotator (1.1.2) | mod_wrapper (3.0.0) | mod_search (3.0.0) | mod_syndicate (3.0.0) | mod_stats (3.0.0) | JMod Contact (1.0) | mod_login (3.0.0) | mod_random_image (3.0.0) | Global News (2.5.2) | mod_breadcrumbs (3.0.0) | mod_articles_news (3.0.0) | mod_articles_category (3.0.0) | mod_menu (3.0.0) | mod_custom (3.0.0) | mod_related_items (3.0.0) | mod_tags_similar (3.1.0) | mod_tags_popular (3.1.0) | sigplus (1.4.2.17) | BT Content Slider (2.3.4) | mod_weblinks (3.0.0) | mod_footer (3.0.0) | mod_banners (3.0.0) |
Modules :: ADMIN :: mod_toolbar (3.0.0) | mod_quickicon (3.0.0) | mod_feed (3.0.0) | mod_stats_admin (3.0.0) | mod_status (3.0.0) | mod_latest (3.0.0) | mod_popular (3.0.0) | mod_logged (3.0.0) | mod_login (3.0.0) | mod_version (3.0.0) | mod_menu (3.0.0) | mod_custom (3.0.0) | mod_multilangstatus (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_joomla (3.0.0) | PLG_AOEDITOR_TITLE (1.0.6) | plg_editors_codemirror (3.15) | plg_editors_tinymce (4.1.2) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | plg_system_debug (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_sef (3.0.0) | plg_system_log (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_p3p (3.0.0) | plg_system_cache (3.0.0) | plg_system_logout (3.0.0) | plg_system_remember (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_content (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagenavigation (3.0.0) | Content - Image gallery - sigp (1.4.2.17) | plg_content_joomla (3.0.0) | plg_content_emailcloak (3.0.0) | plg_extension_joomla (3.0.0) | plg_search_categories (3.0.0) | plg_search_content (3.0.0) | plg_search_weblinks (3.0.0) | plg_search_tags (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | plg_user_contactcreator (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: mansecur6 (1.0) | protostar (1.0) | mansecur4 (1.0) | beez3 (3.1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |
When have I to delete it?

;)
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Mon Aug 11, 2014 3:56 pm

Hi changle,

thanks, now I have your environment, I will try try to reproduce it when I get the time.

Btw. have you tried to contact your hosting support, they should be able to debug it quick with direct access to your system.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Mon Aug 11, 2014 4:05 pm

I have other Joomla installed websites that work perfect with the Joomla3 and admin password protection directory.

So, the hosting company advise me to copy the .htaccess file from the working Joomla installation to the one with the problem.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Tue Aug 12, 2014 6:33 am

I just copied an .htaccess file from another Joomla3 installation and it works fine: http://www.manifest-security.gr/administrator/

The last lines are different.

The old .htaccess:

Code: Select all

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule . /index.php [L]
#
## End - Joomla! core SEF Section.
The new one:

Code: Select all

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Tue Aug 12, 2014 8:00 am

changlee wrote:I just copied an .htaccess file from another Joomla3 installation and it works fine: http://www.manifest-security.gr/administrator/

Code: Select all

RewriteRule .* index.php [L]
Wasn't that the rewrite rule you started with in the first place? Or you had some custom rule instead.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Thu Aug 21, 2014 11:03 am

I do not understand you :-)
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Thu Aug 21, 2014 5:29 pm

changlee wrote:I do not understand you :-)
changlee wrote: The new one:

Code: Select all

RewriteRule .* index.php [L]
I asked if this rule wasn't the one you started with? Since that is default rule supplied in htaccess.txt
You obviously changed that and forgot about it. ;)
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Fri Aug 22, 2014 9:02 am

No, I did not changed anything. I just installed the current Joomla3 version. I remember that it was not the latest.

PS: How do I mark this as solved? :-)
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Sat Aug 23, 2014 7:06 am

To mark it as solved:

[Solved] - When you have successfully resolved you problem, please edit your original post to have [solved] in the title and use the green tick post icon. A moderator can also do it for you if you press the report [!] button.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
changlee
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Tue Nov 20, 2007 11:05 am
Location: Greece
Contact:

Re: Password protect directory

Post by changlee » Sat Aug 23, 2014 9:00 am

I do not have the option to edit my original post! :-)
If you do not programm your life, someone else will do it for you.
SMTP Newsletter APP: https://www.emailbat.com

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect directory

Post by Bernard T » Sat Aug 23, 2014 10:15 am

Bernard T wrote:A moderator can also do it for you if you press the report [!] button.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Locked

Return to “Security in Joomla! 3.x”