Backend wide open Topic is solved

[dottedhippo]

With the latest Joomla update the problem is partly solved.

Now, when logging out, I stay logged out.

However, when the security token expires, I gain free access to the backend again. (without logging in)

[dottedhippo]

If this is a structural bug, it is pretty serious.

[gws]

If this is a structural bug, it is pretty serious.

It is not a bug in joomla,otherwise we would have heard of this problem before. If you are hosted on godaddy then from many many previous posts on this forum godaddy are notorious for misconfigured servers and their support staff are not the best. An url to your site would be useful as would be the FPA, see viewtopic.php?f=714&t=793531

[dottedhippo]

thrown in D:\appdata\IIS\vhosts\site.nl\httpdocs\joomla\A1\kickstart.php on line 3607

Joomla! Instance :: Joomla! 3.8.7-Stable (Amani) 18-April-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (666) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 2 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: pdomysql | Database Credentials Present: Yes

Host Configuration :: OS: Windows NT | OS Version: 6.3 | Technology: AMD64 | Web Server: Microsoft-IIS/8.5 | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: No | Free Disk Space : 82.24 GiB |

PHP Configuration :: Version: 7.0.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: D:\appdata\IIS\vhosts\site.nl\logs\php_errors\site.nl\php_error.log | Last Known Error: 18th April 2018 12:22:15. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 1024M | Max. Input Time: 900 | Max. Execution Time: 900 | Memory Limit: 512M

MySQL Configuration :: Version: 5.6.36 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 8.64 MiB | #of Tables:  91

PHP Extensions :: Core (7.0.29) | bcmath (7.0.29) | calendar (7.0.29) | ctype (7.0.29) | date (7.0.29) | filter (7.0.29) | hash (1.0) | iconv (7.0.29) | json (1.4.0) | mcrypt (7.0.29) | SPL (7.0.29) | pcre (7.0.29) | Reflection (7.0.29) | session (7.0.29) | standard (7.0.29) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | tokenizer (7.0.29) | zip (1.13.5) | zlib (7.0.29) | libxml (7.0.29) | dom (20031129) | PDO (7.0.29) | bz2 (7.0.29) | SimpleXML (7.0.29) | xml (7.0.29) | wddx (7.0.29) | xmlreader (7.0.29) | xmlwriter (7.0.29) | cgi-fcgi () | openssl (7.0.29) | com_dotnet (7.0.29) | curl (7.0.29) | fileinfo (1.0.5) | gd (7.0.29) | gettext (7.0.29) | gmp (7.0.29) | intl (1.1.0) | imap (7.0.29) | mbstring (7.0.29) | exif (7.0.29) | mysqli (7.0.29) | Phar (2.0.2) | pdo_mysql (7.0.29) | PDO_ODBC (7.0.29) | pdo_pgsql (7.0.29) | pdo_sqlite (7.0.29) | soap (7.0.29) | sqlite3 (7.0.29) | xsl (7.0.29) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |
Disabled Functions :: dl | exec | passthru | popen | proc_open | shell_exec | system |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) | administrator/logs/ (777) |

Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/components/com_admin/ (777) | administrator/components/com_admin/controllers/ (777) | administrator/components/com_admin/helpers/ (777) | administrator/components/com_admin/helpers/html/ (777) | administrator/components/com_admin/models/ (777) | administrator/components/com_admin/models/forms/ (777) | administrator/components/com_admin/postinstall/ (777) |

Database statistics :: Uptime: 47273 | Threads: 2 | Questions: 2767443 | Slow queries: 0 | Opens: 15375 | Flush tables: 1 | Open tables: 2000 | Queries per second avg: 58.541 |

Components :: SITE :: WF_AGGREGATOR_DAILYMOTION_TITL (2.6.8) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.8) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.8) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.8) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.8) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.8) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.8) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.8) 1 | WF_POPUPS_WINDOW_TITLE (2.6.8) 1 | WF_LINK_SEARCH_TITLE (2.6.8) 1 | WF_ANCHOR_TITLE (2.6.8) 1 | WF_ARTICLE_TITLE (2.6.8) 1 | WF_AUTOSAVE_TITLE (2.6.8) 1 | WF_BROWSER_TITLE (2.6.8) 1 | WF_CHARMAP_TITLE (2.6.8) 1 | WF_CLEANUP_TITLE (2.6.8) 1 | WF_CLIPBOARD_TITLE (2.6.8) 1 | WF_CONTEXTMENU_TITLE (2.6.8) 1 | WF_DIRECTIONALITY_TITLE (2.6.8) 1 | WF_EMOTIONS_TITLE (2.6.8) 1 | WF_FONTCOLOR_TITLE (2.6.8) 1 | WF_FONTSELECT_TITLE (2.6.8) 1 | WF_FONTSIZESELECT_TITLE (2.6.8) 1 | WF_FORMATSELECT_TITLE (2.6.8) 1 | WF_FULLSCREEN_TITLE (2.6.8) 1 | WF_HR_TITLE (2.6.8) 1 | WF_IMGMANAGER_TITLE (2.6.8) 1 | WF_INLINEPOPUPS_TITLE (2.6.8) 1 | WF_KITCHENSINK_TITLE (2.6.8) 1 | WF_LAYER_TITLE (2.6.8) 1 | WF_LINK_TITLE (2.6.8) 1 | WF_LISTS_TITLE (2.6.8) 1 | WF_MEDIA_TITLE (2.6.8) 1 | WF_NONBREAKING_TITLE (2.6.8) 1 | WF_PREVIEW_TITLE (2.6.8) 1 | WF_PRINT_TITLE (2.6.8) 1 | WF_SEARCHREPLACE_TITLE (2.6.8) 1 | WF_SOURCE_TITLE (2.6.8) 1 | WF_SPELLCHECKER_TITLE (2.6.8) 1 | WF_STYLE_TITLE (2.6.8) 1 | WF_STYLESELECT_TITLE (2.6.8) 1 | WF_TABLE_TITLE (2.6.8) 1 | WF_TEXTCASE_TITLE (2.6.8) 1 | WF_VISUALBLOCKS_TITLE (2.6.8) 1 | WF_VISUALCHARS_TITLE (2.6.8) 1 | WF_XHTMLXTRAS_TITLE (2.6.8) 1 | com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
Components :: ADMIN :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | Akeeba (6.0.1) 1 | com_arkeditor (2.6) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | TreeLink (1.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Unknown (0.1) 1 | Ark Editor Pro Module (1.0.0) 1 | Ark Editor Control Panel (1.0.0) 1 | Ark Editor Statistical Module (1.0.0) 1 | Ark Editor Update Module (1.0.0) 1 | Ark Editor Vote Module (1.0.0) 1 | com_associations (3.7.0) 1 | BaForms (1.6.5) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.6.3) 1 | COM_JCE (2.6.8) 1 | Unknown (-) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 | Widgetkit (1.5.9) 1 |

Modules :: SITE :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | Facebook Widget Slider (1.1) 1 | Facebook Likebox Slider (5.4) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | Custom Inline HTML (1.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | qlform (10.3.8) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | Twitter Widget Slider (1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | Widgetkit (1.0.0) 1 | Widgetkit Twitter (1.0.0) 1 | mod_wrapper (3.0.0) 1 |
Modules :: ADMIN :: Ark Editor Pro Module (1.0.0) 1 | Ark Editor Control Panel (1.0.0) 1 | Ark Editor Statistical Module (1.0.0) 1 | Ark Editor Update Module (1.0.0) 1 | Ark Editor Vote Module (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 0 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |

Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 | purity_III (1.2.1) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

[dottedhippo]

Thanks people I hope we can find something!

[brian]

irrelevant of any of the multitude of issues that are shown in the FPA that I am sure others will point out. There is NO POSSIBLE way no matter what the settings or the host that anyone can access the admin of joomla unless they log in. Just because you can on your computer does not mean that anyone else can.

[dottedhippo]

Thanks brian, that is reassuring.

BTW, I changed the name of my website to site.nl in my FPA post above.

Following the FPA output I have no clue what I should do... hope you guys can help...!

[dottedhippo]

There is NO POSSIBLE way no matter what the settings or the host that anyone can access the admin of joomla unless they log in.

Still, if an administrator logs in, does some, logs out, and walks, and then someone sits at the computer and can gain access to the backend just like that, that seems pretty serious to me!

[brian]

if they log out then the next person would need to login

[dottedhippo]

if they log out then the next person would need to login

That is exactly the point of this thread: they don't! On the same machine, that is.

They gain access while nobody is logged in!

[brian]

i can not replicate that at all. if i click on logout then the only way i can access the admin is to login again

[dottedhippo]

Ik could replicate it on my desktop as well as on my laptop.

BTW, sometimes it happens after reloading the login screen about ten times.

Only erasing the cookies helps.

Does the FPA output throw any suggestions here?

[dottedhippo]

Is there nothing wrong with the FPA report above?

[JAVesey]

Is there nothing wrong with the FPA report above?

Where to start... your site is wide open to hackers with the "777" folder permissions. If weren't hacked when you started this thread then there's a good chance that you have been by now.

Your configuration.php is also vulnerable with "666" permissions.

Folders should be "755"
Files should be "644"
configuration.php should be "444"

[dottedhippo]

My hosting provider explicitly told me that the permissions should be full, and that access from visitors is still read-only. But I will check with them again. BTW, it runs on an IIS server if that makes any difference.

Is there more?

[brian]

I would be worried about an extension that calls itself don't by our kitchens

[dottedhippo]

I will probably have to start from scratch again with this site, right?

[AMurray]

Is there nothing wrong with the FPA report above?

Where to start... your site is wide open to hackers with the "777" folder permissions. If weren't hacked when you started this thread then there's a good chance that you have been by now.

Your configuration.php is also vulnerable with "666" permissions.

Folders should be "755"
Files should be "644"
configuration.php should be "444"

I just realised from the FPA, it notes the web server being IIS and O/S Windows. Since file permissions aren't set the way they are in Linux, perhaps the permissions shown (666, 777 etc) are not the problem (or not as serious as first thought?).

Since the server is IIS, the O/S is Windows, should this thread not be on the viewforum.php?f=717 forum for Windows/IIS? Perhaps experts using IIS/Windows can help where most of us are probably using Linux/Apache.

[sozzled]

I've watched this saga unfold and continue without resolution over time and I think we can conclude a few things:

1) The problem relates to a "website" (if it's possible to categorise an under-development experiment on a PC-hosted system that not connected to the internet as a real website), operating an unspecified AMP stack. In this regard, I would refer readers of this topic to viewtopic.php?f=48&t=925348

2) @brian mentions the kitchen extension which is part of the JCE Editor component. It's called the "k*tchen sink".

3) If the backend is "wide open", the FPA shows that it's exposed to users on the LAN (because the site is not connected to the internet). In the interests of the OP, if there's a problem elsewhere then the FPA for a [PC-hosted] website is useless.

4) If any "webhosting provider" to explicitly advised me that "the permissions should be full" then I would be changing webhosting providers in an instant! What utter rubbish! On the other hand, it's not my website and it's not my business and I'm thankful I don't have this question to deal with.

5) No-one else can reproduce this issue. Therefore, the problem affects one person.

If this were my website I would start again using a reliable Joomla installation package—there is only one reliable way to install Joomla—and I would be considering switching over to a reputable webhosting provider.

[brian]

Good spot about jce I didn't know about it as I stopped using it a few years ago

[dottedhippo]

Since the server is IIS, the O/S is Windows, should this thread not be on the viewforum.php?f=717 forum for Windows/IIS? Perhaps experts using IIS/Windows can help where most of us are probably using Linux/Apache.

Yes, and I already requested that but oddly enough the mod didn't move my topic there...

[dottedhippo]

My hosting provider explicitly told me that the permissions should be full, and that access from visitors is still read-only. But I will check with them again. BTW, it runs on an IIS server if that makes any difference.

I checked with the hosting provider and they confirm that Unix-like access rights do not apply to IIS servers. So that is ok.

And now, since my topic has moved here, does anyone in the business of IIS have a clue what is wrong with my site?

Thanks!

[gws]

An url to the site would help.

[dottedhippo]

An url to the site would help.

Why would it help?

[gws]

Because source code can be examined .

[brian]

I am more than happy top try and replicate this "issue" on your site. If you want to send me an admin login to your site via private message I will take a look.

[dottedhippo]

I am more than happy top try and replicate this "issue" on your site. If you want to send me an admin login to your site via private message I will take a look.

I have sent you a PM, Brian.

[brian]

I tried with three different web browsers and as expected i could not replicate this

[dottedhippo]

I tried with three different web browsers and as expected i could not replicate this

Thank you Brian, much appreciated.

So how do I approach my problem?

(Did you reload at least ten times?)

[brian]

Yes I did everything you suggested.