prevent user access /administrator folder

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Storm@raider
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 119
Joined: Sat Jan 20, 2007 5:02 pm
Location: Thailand

prevent user access /administrator folder

Postby Storm@raider » Mon Oct 22, 2007 3:54 pm

Hi

I want to prevent visitor to direct access site.com/administrator

I try this method from many site and it still can access this page.

How can I hidden it ? I try to change directory name to other name but it doesn't work.

Please advise.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: prevent user access /administrator folder

Postby Tonie » Mon Oct 22, 2007 4:24 pm

You can password protect it through .htaccess, all people going to /administrator will have to authenticate.

Storm@raider
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 119
Joined: Sat Jan 20, 2007 5:02 pm
Location: Thailand

Re: prevent user access /administrator folder

Postby Storm@raider » Mon Oct 22, 2007 5:37 pm

Thank for reply.

But I don't have experience with .htaccess before. It may take time for me to config it.

Is it possible to rename this folder to other name and what file need to change?

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: prevent user access /administrator folder

Postby Tonie » Mon Oct 22, 2007 7:12 pm

It's not possible to rename without breaking it. Joomla and a lot extensions depend on it. If you are on shared hosting and use cpanel, it's often possible to password protect through there. This would be the easiest.

For the manual stuff, search on 'htaccess password protect tutorial' on any search engine.

phuongvh
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Sep 09, 2008 4:18 am
Contact:

Re: prevent user access /administrator folder

Postby phuongvh » Tue Sep 09, 2008 10:32 am

Hi
I tried to rename "administrator" folder to "joomadmin" folder but it doesn't understand CSS files in media folder and plugins. It require to have to add which in "joomadmin" folder. Example

joomadmin\includes\js\joomla.javascript.js ----> can't use javascript for button(joomla.script not found ).
joomadmin\includes\media\systems\js\mootools.js ----> mootool.js not found.
joomadmin\includes\js\plugins -----> can't use joomla's tinymce editor (MCE Editor not found)

But I can't repair media 's error (can't upload and insert picture).
I know, it may be have any orther error. If we can rename "administrator" folder successfull, this will help better security.

You know, can you hep me !
Phuong, Vo Hoai
I try to become a joomla master !

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: prevent user access /administrator folder

Postby twcmex » Tue Sep 09, 2008 12:58 pm

Tonie has already told you:
It's not possible to rename without breaking it


password protect the 'administrator' folder instead.
-Joe

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: prevent user access /administrator folder

Postby dazza_dog » Tue Sep 09, 2008 3:24 pm

Search through the JED as there are a few which may/will help
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .

phuongvh
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Sep 09, 2008 4:18 am
Contact:

Re: prevent user access /administrator folder

Postby phuongvh » Wed Sep 10, 2008 7:18 am

Thanks your reply !

I thinks of it same you, too !

Because I saw a file which name is "define.php" in Joomla 's include folder and administrator 's include folder, I thinks I can rename administrator folder. :D

"define.php" file have content:

$parts = explode( DS, JPATH_BASE );

//Defines
define( 'JPATH_ROOT', implode( DS, $parts ) );

define( 'JPATH_SITE', JPATH_ROOT );
define( 'JPATH_CONFIGURATION', JPATH_ROOT );
define( 'JPATH_ADMINISTRATOR', JPATH_ROOT.DS.'administrator' );
define( 'JPATH_XMLRPC', JPATH_ROOT.DS.'xmlrpc' );
define( 'JPATH_LIBRARIES', JPATH_ROOT.DS.'libraries' );
define( 'JPATH_PLUGINS', JPATH_ROOT.DS.'plugins' );
define( 'JPATH_INSTALLATION', JPATH_ROOT.DS.'installation' );
define( 'JPATH_THEMES' , JPATH_BASE.DS.'templates' );
define( 'JPATH_CACHE', JPATH_BASE.DS.'cache');


:D
Phuong, Vo Hoai
I try to become a joomla master !

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: prevent user access /administrator folder

Postby Tonie » Wed Sep 10, 2008 3:23 pm

That's the reason it's there, but it's not being used consistently in the Joomla! code. Also 3rd party extension will use it even less most likely.

User avatar
adamos46
Joomla! Explorer
Joomla! Explorer
Posts: 275
Joined: Sat Apr 26, 2008 6:05 am
Location: New Jersey

Re: prevent user access /administrator folder

Postby adamos46 » Wed Sep 10, 2008 3:58 pm

If you dont want to double password your administrator page and you access the admin page from a static ip then you can do an ip based access on the administrator page.
In httpd.conf or .htaccess add:

<Directory "/path/to/admindir">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 # your IP or /24 /25 etc subnet
</Directory>

phuongvh
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Sep 09, 2008 4:18 am
Contact:

Re: prevent user access /administrator folder

Postby phuongvh » Thu Sep 11, 2008 2:25 am

Hi all !

Thanks your all reply !

I sure I understand this problem ! I thinks if we use .htaccess file, this problem will be resolved easily. :D

Nice day !
Phuong, Vo Hoai
I try to become a joomla master !

User avatar
SOAMJENA
Joomla! Ace
Joomla! Ace
Posts: 1205
Joined: Thu May 01, 2008 12:36 pm
Location: QubeSys Technologies Pvt. Ltd ,INDIA
Contact:

Re: prevent user access /administrator folder

Postby SOAMJENA » Thu Sep 11, 2008 2:33 am

You can resolve it either by .htaccess or by Password Protect via cpanel...

The best is to do it via cPanel,Password Protect....

So do that...
Thanks..
Web Design, eCommerce and Software Development
Joomla Premium Extensions,Templates and Support Packages

heros
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Fri Oct 28, 2005 9:13 am
Contact:

Re: prevent user access /administrator folder

Postby heros » Thu Sep 11, 2008 4:19 am

You can prevent other users accessing your administrator by creating new file in administrator folder (e.g. myadmingate.php). The code of this file as below:
===================myadmingate.php BEGIN CODE===========================
<?php
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

$session =& JFactory::getSession();
$session->set("myPassport","passed");
header('Location: index.php');
?>
===================myadmingate.php END CODE===========================

In the index.php under administrator folder, below the line: << JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null; >>, add new codes:
=====================add new code for index.php BEGIN =====================
/**
* Check PASSPORT
**/
$session =& JFactory::getSession();
$myPassport = $session->get('myPassport');
if(!$myPassport || $myPassport != "passed")
{
// Redirect to homepage
header('Location: ../index.php');
}
=====================add new code for index.php END =====================

Now, you must login into administrator area by using myadmingate.php. You also change this file name into any secret names you want.
:)
Heros
==========
Web developer
easyjoomlaweb.com

User avatar
adamos46
Joomla! Explorer
Joomla! Explorer
Posts: 275
Joined: Sat Apr 26, 2008 6:05 am
Location: New Jersey

Re: prevent user access /administrator folder

Postby adamos46 » Thu Sep 11, 2008 5:26 am

IMO, this is unnecessary. Apache provides a good directory security, either password protected or ip-based access.

phuongvh
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Sep 09, 2008 4:18 am
Contact:

Re: prevent user access /administrator folder

Postby phuongvh » Thu Sep 11, 2008 7:14 am

heros wrote:You can prevent other users accessing your administrator by creating new file in administrator folder (e.g. myadmingate.php).
Now, you must login into administrator area by using myadmingate.php. You also change this file name into any secret names you want.
:)



Thanks your all reply !

Heros 's way is verry good. I checked it. My website run verry good !

Thanks again ! :-[
Phuong, Vo Hoai
I try to become a joomla master !

User avatar
moprit
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Sep 11, 2008 7:00 am

Re: prevent user access /administrator folder

Postby moprit » Thu Sep 11, 2008 7:29 am

I tried rename administrator folder (Ex: joomadmin). And I think it's OK

Step 1
We need define administrator name variable in administrator/includes/defines.php

//Defines
define( 'JDIR_ADMINISTRATOR', 'joomadmin');
define( 'JPATH_ROOT', implode( DS, $parts ) );

define( 'JPATH_SITE', JPATH_ROOT );
define( 'JPATH_CONFIGURATION', JPATH_ROOT );
define( 'JPATH_ADMINISTRATOR', JPATH_ROOT.DS.JDIR_ADMINISTRATOR );
define( 'JPATH_XMLRPC', JPATH_ROOT.DS.'xmlrpc' );
define( 'JPATH_LIBRARIES', JPATH_ROOT.DS.'libraries' );
define( 'JPATH_PLUGINS', JPATH_ROOT.DS.'plugins' );
define( 'JPATH_INSTALLATION', JPATH_ROOT.DS.'installation' );
define( 'JPATH_THEMES', JPATH_BASE.DS.'templates' );
define( 'JPATH_CACHE', JPATH_BASE.DS.'cache' );


And in includes/defines.php, too

Step 2
Go to administrator/includes/application.php, and replace

Line 41
//Set the root in the URI based on the application name
JURI::root(null, str_replace('/'.$this->getName(), '', JURI::base(true)));


on

//Set the root in the URI based on the application name
//JURI::root(null, str_replace('/'.$this->getName(), '', JURI::base(true)));
JURI::root(null, str_replace('/' . JDIR_ADMINISTRATOR, '', JURI::base(true)));


Step 3
Replace administrator folder name (which Joomla set static) on JDIR_ADMINISTRATOR variable

administrator\components\com_admin\tmpl\sysinfo_directory.php
Line 33, 34, 35, 41, 44, 45

administrator\components\com_media\views\images\tmpl\default.php
Line 8

administrator\components\com_media\views\images\view.html.php
Line 38

administrator\components\com_media\views\imageslist\view.html.php
Line 38

administrator\components\com_joomlawatch\admin.joomlawatch.php
Line 52

administrator\components\com_templates\admin.templates.html.php
Line 122

administrator\includes\application.php
Line 97

libraries\joomla\html\html\image.php
Line 131

libraries\joomla\environment\uri.php
Line 216


Step 4
And the last, you can change administrator folder name into joomadmin or any secret names you want.

------------------------------------------------
I don't know this way is perfect way or not.

Cheer,
Excellence is to do a common thing in an uncommon way - Booker T. Washington

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: prevent user access /administrator folder

Postby dazza_dog » Thu Sep 11, 2008 11:22 am

This is fine if you want to hack the core modules everytime an upgrade is published but password protecting the admin directory and/or using a 3rd party extension is probably the easiest way.
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .

heros
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Fri Oct 28, 2005 9:13 am
Contact:

Re: prevent user access /administrator folder

Postby heros » Fri Sep 12, 2008 3:34 am

dazza_dog wrote:This is fine if you want to hack the core modules everytime an upgrade is published but password protecting the admin directory and/or using a 3rd party extension is probably the easiest way.


Yes, using the password to protect the administrator directory maybe good choice for LAMP, but how about the others (e.g IIS).
I'm sure that the index.php file won't be upgraded during next Joomla 1.5 life. So we won't care to upgrade this file if any new versions. :D
Heros
==========
Web developer
easyjoomlaweb.com

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: prevent user access /administrator folder

Postby dazza_dog » Fri Sep 12, 2008 7:44 am

heros wrote:Yes, using the password to protect the administrator directory maybe good choice for LAMP, but how about the others (e.g IIS).


That's easy, stop using IIS and install LAMP etc :D :D

No seriously, I know that IIS has its own security issues and there are a couple of good newsgroups/books available and I would start there
heros wrote:I'm sure that the index.php file won't be upgraded during next Joomla 1.5 life. So we won't care to upgrade this file if any new versions. :D

I agree, index.php was not changed in either 1.5.6 or 1.5.7 upgrades and I was looking more at moprit's code and not yours.
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .

jadmin12
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Apr 12, 2011 4:26 am

Re: prevent user access /administrator folder

Postby jadmin12 » Tue Apr 12, 2011 4:29 am

We have created a component, which does the same as requested

try our demo: <mod deleted>

Visit our website: [<mod deleted>



<mod deleted>
Last edited by mandville on Tue Apr 12, 2011 8:50 am, edited 1 time in total.
Reason: removed self promotion.

User avatar
C0nw0nk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 248
Joined: Tue Jun 15, 2010 1:12 am
Location: United Kingdom, London
Contact:

Re: prevent user access /administrator folder

Postby C0nw0nk » Tue Apr 12, 2011 5:06 am

moprit wrote:I tried rename administrator folder (Ex: joomadmin). And I think it's OK

I don't know this way is perfect way or not.

Cheer,


I think its better than nothing it means that directory and all files located init are now diffrent :)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14174
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: prevent user access /administrator folder

Postby mandville » Tue Apr 12, 2011 8:52 am

please see this post viewtopic.php?f=432&t=611287

topic locked under security forum rules
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 9 guests