Backend wide open Topic is solved
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Backend wide open
The only extension you have in your system that I am not familiar with is ARK editor. I cant see that would be a problem but maybe try and uninstall that and see if you still have a problem.
However personally I suspect that you have somehow set your browser to remember the login
However personally I suspect that you have somehow set your browser to remember the login
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Hmmm. Now I can't replicate the problem myself.
I will try to close in to te circumstances that generate this...
I will try to close in to te circumstances that generate this...
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
How would that be possible?brian wrote:However personally I suspect that you have somehow set your browser to remember the login
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Backend wide open
OK I have now replicated the issue on your site - still cannot replicate it on any other
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Thanks, Brian. My hosting provider is willing to look into it, so maybe that is the next step to do.
Thanks! Your help is much appreciated.
Thanks! Your help is much appreciated.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
The security token seems to have something to do with it.
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Backend wide open
As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
In any case it is replicated by me many times. The probability of the problem being client dependent is unlikely I guess...brian wrote:As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Brian, if you have a hunch figuring this out, let me now!
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
I cleared the session table to no avail.
The local backup on my laptop (XAMPP) has the same issue.
The issue typicly happens after a "request refused - invalid security token" error after trying to login.
Clearing the cookies locally is the only thing that helps.
The problem probably sits somewhere in Joomla - the files or the database.
This would be an opportunity to decide if we want to keep this website, or start afresh.
The local backup on my laptop (XAMPP) has the same issue.
The issue typicly happens after a "request refused - invalid security token" error after trying to login.
Clearing the cookies locally is the only thing that helps.
The problem probably sits somewhere in Joomla - the files or the database.
This would be an opportunity to decide if we want to keep this website, or start afresh.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
I could post the FPA output for my plugins, if that is of any help... ?
- Per Yngve Berg
- Joomla! Master
- Posts: 30924
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Backend wide open
System TMP Writable: No is a problem on the server that have to be fixed.
IIS servers do only have one permission, so all three numbers will always be equal.
IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.
Finally. Have you tried to disable the Authentication Cookie Plugin, so you will not get logged in by the cookie in the browser?
IIS servers do only have one permission, so all three numbers will always be equal.
IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.
Finally. Have you tried to disable the Authentication Cookie Plugin, so you will not get logged in by the cookie in the browser?
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Thanks, Per, I don't have time today but I will get to it as soon as I have the time!
What is the "System TMP" exactly?Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
I already have a web.config from my hosting provider. Should I merge that with the file from Joomla? How is that done?Per Yngve Berg wrote:IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.
BTW, I think my provider accepts both .htaccess and web.config! I will inquire with them.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Joomla tmp folder has sufficient acces rights (full access rights for applications).Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
- Per Yngve Berg
- Joomla! Master
- Posts: 30924
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Backend wide open
This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.dottedhippo wrote:Joomla tmp folder has sufficient acces rights (full access rights for applications).Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
I have checked with my hosting provider, and they confirm that the System Temp is not writable. They gave me the advice to use a different folder, such as the PHP TEMP folder or the Joomla TMP folder. Is it possible to set one of them?Per Yngve Berg wrote:This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.dottedhippo wrote:Joomla tmp folder has sufficient acces rights (full access rights for applications).Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Backend wide open
Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
Configuration file says $tmp_path is set to the Joomla tmp folder.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
That is correct.brian wrote:Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser
- Per Yngve Berg
- Joomla! Master
- Posts: 30924
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Backend wide open
You can change the php temp folder in php.ini.
-
- Joomla! Intern
- Posts: 75
- Joined: Wed Aug 29, 2012 7:41 pm
Re: Backend wide open
It appears to have been solved after an update of Chrome.
I think it did not handle its cookies appropriately.
-sigh of relief-
I think it did not handle its cookies appropriately.
-sigh of relief-