Advertisement

Some Ajax calls bypassing https and dropping to http

Discussion regarding Joomla! 4.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
KennethH
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Dec 15, 2022 7:16 pm

Some Ajax calls bypassing https and dropping to http

Post by KennethH » Tue Oct 15, 2024 8:30 pm

While comparing http to https logs (J4) I noticed a few URLs are coming down in the former (eg plaintext) when I'm expecting everything nice & tidy in TLS.

Some of the common players (Shortened for brevity):
GET /administrator/index.php?option=com_joomlaupdate&task=update.ajax&36893(etc)=1
GET /administrator/index.php?option=com_installer&view=update&task=update.ajax&36893(etc)=1skip=224
GET /administrator/index.php?option=com_privacy&task=getNumberUrgentRequests&format=json&36893(etc)
GET /administrator/index.php?option=com_templates&view=templates&task=template.ajax&36893(etc)=1

It's not a lot but I'm worried that my browser may have leaked my administrator session variables & cookies along with those calls. Can anyone direct me if there's an existing discussion on this?

Note: (a) Site is configured to Force HTTPS (b) I could certainly enforce with .htaccess but I feel the browser would still push the sensitive content out there before seeing the 301

Advertisement
Advertisement
Post Reply

Return to “Security in Joomla! 4.x”