Backend wide open

This forum is for issues with installing Joomla! 3.x on IIS webservers.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Wed Apr 18, 2018 5:19 pm

With the latest Joomla update the problem is partly solved.

Now, when logging out, I stay logged out.

However, when the security token expires, I gain free access to the backend again. (without logging in)

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Wed Apr 18, 2018 5:22 pm

If this is a structural bug, it is pretty serious.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3261
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Backend wide open

Postby gws » Wed Apr 18, 2018 5:30 pm

dottedhippo wrote:If this is a structural bug, it is pretty serious.


It is not a bug in joomla,otherwise we would have heard of this problem before. If you are hosted on godaddy then from many many previous posts on this forum godaddy are notorious for misconfigured servers and their support staff are not the best. An url to your site would be useful as would be the FPA, see viewtopic.php?f=714&t=793531

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Wed Apr 18, 2018 6:35 pm

Last PHP Error(s) Reported :: Forum Post Assistant (v1.3.9) : 18th April 2018 wrote: thrown in D:\appdata\IIS\vhosts\site.nl\httpdocs\joomla\A1\kickstart.php on line 3607
Forum Post Assistant (v1.3.9) : 18th April 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.7-Stable (Amani) 18-April-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (666) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 2 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: pdomysql | Database Credentials Present: Yes

Host Configuration :: OS: Windows NT | OS Version: 6.3 | Technology: AMD64 | Web Server: Microsoft-IIS/8.5 | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: No | Free Disk Space : 82.24 GiB |

PHP Configuration :: Version: 7.0.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: D:\appdata\IIS\vhosts\site.nl\logs\php_errors\site.nl\php_error.log | Last Known Error: 18th April 2018 12:22:15. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 1024M | Max. Input Time: 900 | Max. Execution Time: 900 | Memory Limit: 512M

MySQL Configuration :: Version: 5.6.36 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 8.64 MiB | #of Tables:  91
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.29) | bcmath (7.0.29) | calendar (7.0.29) | ctype (7.0.29) | date (7.0.29) | filter (7.0.29) | hash (1.0) | iconv (7.0.29) | json (1.4.0) | mcrypt (7.0.29) | SPL (7.0.29) | pcre (7.0.29) | Reflection (7.0.29) | session (7.0.29) | standard (7.0.29) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | tokenizer (7.0.29) | zip (1.13.5) | zlib (7.0.29) | libxml (7.0.29) | dom (20031129) | PDO (7.0.29) | bz2 (7.0.29) | SimpleXML (7.0.29) | xml (7.0.29) | wddx (7.0.29) | xmlreader (7.0.29) | xmlwriter (7.0.29) | cgi-fcgi () | openssl (7.0.29) | com_dotnet (7.0.29) | curl (7.0.29) | fileinfo (1.0.5) | gd (7.0.29) | gettext (7.0.29) | gmp (7.0.29) | intl (1.1.0) | imap (7.0.29) | mbstring (7.0.29) | exif (7.0.29) | mysqli (7.0.29) | Phar (2.0.2) | pdo_mysql (7.0.29) | PDO_ODBC (7.0.29) | pdo_pgsql (7.0.29) | pdo_sqlite (7.0.29) | soap (7.0.29) | sqlite3 (7.0.29) | xsl (7.0.29) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |
Disabled Functions :: dl | exec | passthru | popen | proc_open | shell_exec | system |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) | administrator/logs/ (777) |

Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/components/com_admin/ (777) | administrator/components/com_admin/controllers/ (777) | administrator/components/com_admin/helpers/ (777) | administrator/components/com_admin/helpers/html/ (777) | administrator/components/com_admin/models/ (777) | administrator/components/com_admin/models/forms/ (777) | administrator/components/com_admin/postinstall/ (777) |
Database Information :: wrote:Database statistics :: Uptime: 47273 | Threads: 2 | Questions: 2767443 | Slow queries: 0 | Opens: 15375 | Flush tables: 1 | Open tables: 2000 | Queries per second avg: 58.541 |
Extensions Discovered :: wrote:Components :: SITE :: WF_AGGREGATOR_DAILYMOTION_TITL (2.6.8) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.8) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.8) 1 | [youtube] (2.6.8) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.8) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.8) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.8) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.8) 1 | WF_POPUPS_WINDOW_TITLE (2.6.8) 1 | WF_LINK_SEARCH_TITLE (2.6.8) 1 | WF_ANCHOR_TITLE (2.6.8) 1 | WF_ARTICLE_TITLE (2.6.8) 1 | WF_AUTOSAVE_TITLE (2.6.8) 1 | WF_BROWSER_TITLE (2.6.8) 1 | WF_CHARMAP_TITLE (2.6.8) 1 | WF_CLEANUP_TITLE (2.6.8) 1 | WF_CLIPBOARD_TITLE (2.6.8) 1 | WF_CONTEXTMENU_TITLE (2.6.8) 1 | WF_DIRECTIONALITY_TITLE (2.6.8) 1 | WF_EMOTIONS_TITLE (2.6.8) 1 | WF_FONTCOLOR_TITLE (2.6.8) 1 | WF_FONTSELECT_TITLE (2.6.8) 1 | WF_FONTSIZESELECT_TITLE (2.6.8) 1 | WF_FORMATSELECT_TITLE (2.6.8) 1 | WF_FULLSCREEN_TITLE (2.6.8) 1 | WF_HR_TITLE (2.6.8) 1 | WF_IMGMANAGER_TITLE (2.6.8) 1 | WF_INLINEPOPUPS_TITLE (2.6.8) 1 | WF_KITCHENSINK_TITLE (2.6.8) 1 | WF_LAYER_TITLE (2.6.8) 1 | WF_LINK_TITLE (2.6.8) 1 | WF_LISTS_TITLE (2.6.8) 1 | WF_MEDIA_TITLE (2.6.8) 1 | WF_NONBREAKING_TITLE (2.6.8) 1 | WF_PREVIEW_TITLE (2.6.8) 1 | WF_PRINT_TITLE (2.6.8) 1 | WF_SEARCHREPLACE_TITLE (2.6.8) 1 | WF_SOURCE_TITLE (2.6.8) 1 | WF_SPELLCHECKER_TITLE (2.6.8) 1 | WF_STYLE_TITLE (2.6.8) 1 | WF_STYLESELECT_TITLE (2.6.8) 1 | WF_TABLE_TITLE (2.6.8) 1 | WF_TEXTCASE_TITLE (2.6.8) 1 | WF_VISUALBLOCKS_TITLE (2.6.8) 1 | WF_VISUALCHARS_TITLE (2.6.8) 1 | WF_XHTMLXTRAS_TITLE (2.6.8) 1 | com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
Components :: ADMIN :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | Akeeba (6.0.1) 1 | com_arkeditor (2.6) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | TreeLink (1.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Ark Editor Pro Module (1.0.0) 1 | Ark Editor Control Panel (1.0.0) 1 | Ark Editor Statistical Module (1.0.0) 1 | Ark Editor Update Module (1.0.0) 1 | Ark Editor Vote Module (1.0.0) 1 | com_associations (3.7.0) 1 | BaForms (1.6.5) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.6.3) 1 | COM_JCE (2.6.8) 1 | Unknown (-) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 | Widgetkit (1.5.9) 1 |

Modules :: SITE :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | Facebook Widget Slider (1.1) 1 | Facebook Likebox Slider (5.4) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | Custom Inline HTML (1.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | qlform (10.3.8) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | Twitter Widget Slider (1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | Widgetkit (1.0.0) 1 | Widgetkit Twitter (1.0.0) 1 | mod_wrapper (3.0.0) 1 |
Modules :: ADMIN :: Ark Editor Pro Module (1.0.0) 1 | Ark Editor Control Panel (1.0.0) 1 | Ark Editor Statistical Module (1.0.0) 1 | Ark Editor Update Module (1.0.0) 1 | Ark Editor Vote Module (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 0 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |

Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 | purity_III (1.2.1) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Wed Apr 18, 2018 6:48 pm, edited 1 time in total.
Reason: mod note: disabled smilies in Options for readability

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Wed Apr 18, 2018 6:37 pm

Thanks people :) I hope we can find something!

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Wed Apr 18, 2018 11:17 pm

irrelevant of any of the multitude of issues that are shown in the FPA that I am sure others will point out. There is NO POSSIBLE way no matter what the settings or the host that anyone can access the admin of joomla unless they log in. Just because you can on your computer does not mean that anyone else can.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Thu Apr 19, 2018 8:59 am

Thanks brian, that is reassuring.

BTW, I changed the name of my website to site.nl in my FPA post above.

Following the FPA output I have no clue what I should do... hope you guys can help...! :eek:

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 11:24 am

brian wrote:There is NO POSSIBLE way no matter what the settings or the host that anyone can access the admin of joomla unless they log in.
Still, if an administrator logs in, does some, logs out, and walks, and then someone sits at the computer and can gain access to the backend just like that, that seems pretty serious to me!

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Fri Apr 20, 2018 11:31 am

if they log out then the next person would need to login
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 11:39 am

brian wrote:if they log out then the next person would need to login
That is exactly the point of this thread: they don't! On the same machine, that is.

They gain access while nobody is logged in!

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Fri Apr 20, 2018 11:52 am

i can not replicate that at all. if i click on logout then the only way i can access the admin is to login again
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 11:58 am

Ik could replicate it on my desktop as well as on my laptop.

BTW, sometimes it happens after reloading the login screen about ten times.

Only erasing the cookies helps.

Does the FPA output throw any suggestions here?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 3:21 pm

Is there nothing wrong with the FPA report above? ???

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1662
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Backend wide open

Postby JAVesey » Fri Apr 20, 2018 5:25 pm

dottedhippo wrote:Is there nothing wrong with the FPA report above? ???
Where to start... your site is wide open to hackers with the "777" folder permissions. If weren't hacked when you started this thread then there's a good chance that you have been by now.

Your configuration.php is also vulnerable with "666" permissions.

Folders should be "755"
Files should be "644"
configuration.php should be "444"
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.8)

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 5:28 pm

My hosting provider explicitly told me that the permissions should be full, and that access from visitors is still read-only. But I will check with them again. BTW, it runs on an IIS server if that makes any difference.

Is there more?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Fri Apr 20, 2018 5:31 pm

I would be worried about an extension that calls itself don't by our kitchens
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Fri Apr 20, 2018 5:58 pm

I will probably have to start from scratch again with this site, right?

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3543
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Backend wide open

Postby AMurray » Fri Apr 20, 2018 9:26 pm

JAVesey wrote:
dottedhippo wrote:Is there nothing wrong with the FPA report above? ???
Where to start... your site is wide open to hackers with the "777" folder permissions. If weren't hacked when you started this thread then there's a good chance that you have been by now.

Your configuration.php is also vulnerable with "666" permissions.

Folders should be "755"
Files should be "644"
configuration.php should be "444"

I just realised from the FPA, it notes the web server being IIS and O/S Windows. Since file permissions aren't set the way they are in Linux, perhaps the permissions shown (666, 777 etc) are not the problem ??? (or not as serious as first thought?).

Since the server is IIS, the O/S is Windows, should this thread not be on the viewforum.php?f=717 forum for Windows/IIS? Perhaps experts using IIS/Windows can help where most of us are probably using Linux/Apache.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4860
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Backend wide open

Postby sozzled » Fri Apr 20, 2018 9:44 pm

I've watched this saga unfold and continue without resolution over time and I think we can conclude a few things:

1) The problem relates to a "website" (if it's possible to categorise an under-development experiment on a PC-hosted system that not connected to the internet as a real website), operating an unspecified AMP stack. In this regard, I would refer readers of this topic to viewtopic.php?f=48&t=925348

2) @brian mentions the kitchen extension which is part of the JCE Editor component. It's called the "k*tchen sink".

3) If the backend is "wide open", the FPA shows that it's exposed to users on the LAN (because the site is not connected to the internet). In the interests of the OP, if there's a problem elsewhere then the FPA for a [PC-hosted] website is useless.

4) If any "webhosting provider" to explicitly advised me that "the permissions should be full" then I would be changing webhosting providers in an instant! What utter rubbish! On the other hand, it's not my website and it's not my business and I'm thankful I don't have this question to deal with.

5) No-one else can reproduce this issue. Therefore, the problem affects one person.

If this were my website I would start again using a reliable Joomla installation package—there is only one reliable way to install Joomla—and I would be considering switching over to a reputable webhosting provider.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Fri Apr 20, 2018 10:08 pm

Good spot about jce I didn't know about it as I stopped using it a few years ago
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Sat Apr 21, 2018 7:49 am

AMurray wrote:Since the server is IIS, the O/S is Windows, should this thread not be on the viewforum.php?f=717 forum for Windows/IIS? Perhaps experts using IIS/Windows can help where most of us are probably using Linux/Apache.
Yes, and I already requested that but oddly enough the mod didn't move my topic there... :eek:

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Mon Apr 23, 2018 9:52 am

dottedhippo wrote:My hosting provider explicitly told me that the permissions should be full, and that access from visitors is still read-only. But I will check with them again. BTW, it runs on an IIS server if that makes any difference.
I checked with the hosting provider and they confirm that Unix-like access rights do not apply to IIS servers. So that is ok.

And now, since my topic has moved here, does anyone in the business of IIS have a clue what is wrong with my site?

Thanks! :)

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3261
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Backend wide open

Postby gws » Mon Apr 23, 2018 10:06 am

An url to the site would help.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Mon Apr 23, 2018 10:20 am

gws wrote:An url to the site would help.
Why would it help?

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3261
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Backend wide open

Postby gws » Mon Apr 23, 2018 10:25 am

Because source code can be examined .

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Mon Apr 23, 2018 10:37 am

I am more than happy top try and replicate this "issue" on your site. If you want to send me an admin login to your site via private message I will take a look.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Mon Apr 23, 2018 11:31 am

brian wrote:I am more than happy top try and replicate this "issue" on your site. If you want to send me an admin login to your site via private message I will take a look.
I have sent you a PM, Brian.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Mon Apr 23, 2018 11:44 am

I tried with three different web browsers and as expected i could not replicate this
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Postby dottedhippo » Mon Apr 23, 2018 11:46 am

brian wrote:I tried with three different web browsers and as expected i could not replicate this
Thank you Brian, much appreciated.

So how do I approach my problem?

(Did you reload at least ten times?)

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11592
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Postby brian » Mon Apr 23, 2018 11:50 am

Yes I did everything you suggested.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Return to “Joomla! 3.x on IIS webserver”

Who is online

Users browsing this forum: No registered users and 1 guest