Backend wide open Topic is solved

This forum is for issues with installing Joomla! 3.x on IIS webservers.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Post by brian » Mon Apr 23, 2018 11:51 am

The only extension you have in your system that I am not familiar with is ARK editor. I cant see that would be a problem but maybe try and uninstall that and see if you still have a problem.

However personally I suspect that you have somehow set your browser to remember the login
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 11:54 am

Hmmm. Now I can't replicate the problem myself.

I will try to close in to te circumstances that generate this...

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 11:56 am

brian wrote:However personally I suspect that you have somehow set your browser to remember the login
How would that be possible?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Post by brian » Mon Apr 23, 2018 1:22 pm

OK I have now replicated the issue on your site - still cannot replicate it on any other
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 1:24 pm

Thanks, Brian. My hosting provider is willing to look into it, so maybe that is the next step to do.

Thanks! Your help is much appreciated.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 1:26 pm

The security token seems to have something to do with it.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Post by brian » Mon Apr 23, 2018 1:28 pm

As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 1:39 pm

brian wrote:As that is something that is set on your browser then there is no security issue - but i still cant see what is causing the problem and I only replicated the issue once.
In any case it is replicated by me many times. The probability of the problem being client dependent is unlikely I guess...

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 1:44 pm

Brian, if you have a hunch figuring this out, let me now! :D

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 3:41 pm

I cleared the session table to no avail.

The local backup on my laptop (XAMPP) has the same issue.

The issue typicly happens after a "request refused - invalid security token" error after trying to login.

Clearing the cookies locally is the only thing that helps.

The problem probably sits somewhere in Joomla - the files or the database.

This would be an opportunity to decide if we want to keep this website, or start afresh.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 4:31 pm

I could post the FPA output for my plugins, if that is of any help... ?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26111
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Backend wide open

Post by Per Yngve Berg » Mon Apr 23, 2018 6:55 pm

System TMP Writable: No is a problem on the server that have to be fixed.

IIS servers do only have one permission, so all three numbers will always be equal.

IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.

Finally. Have you tried to disable the Authentication Cookie Plugin, so you will not get logged in by the cookie in the browser?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Mon Apr 23, 2018 8:48 pm

Thanks, Per, I don't have time today but I will get to it as soon as I have the time!
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
What is the "System TMP" exactly?

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 24, 2018 12:11 pm

Per Yngve Berg wrote:IIS servers do not use a .htaccess file, but a web.config. Have you renamed webconfig.txt to web.config.
I already have a web.config from my hosting provider. Should I merge that with the file from Joomla? How is that done?

BTW, I think my provider accepts both .htaccess and web.config! I will inquire with them.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Tue Apr 24, 2018 1:15 pm

Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26111
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Backend wide open

Post by Per Yngve Berg » Tue Apr 24, 2018 4:06 pm

dottedhippo wrote:
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).
This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Wed Apr 25, 2018 11:53 am

Per Yngve Berg wrote:
dottedhippo wrote:
Per Yngve Berg wrote:System TMP Writable: No is a problem on the server that have to be fixed.
Joomla tmp folder has sufficient acces rights (full access rights for applications).
This is the PHP Temp folder, not the Joomla Temp folder. It's server wide setting and must be set by your host.
I have checked with my hosting provider, and they confirm that the System Temp is not writable. They gave me the advice to use a different folder, such as the PHP TEMP folder or the Joomla TMP folder. Is it possible to set one of them?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backend wide open

Post by brian » Wed Apr 25, 2018 11:55 am

Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Wed Apr 25, 2018 11:56 am

Configuration file says $tmp_path is set to the Joomla tmp folder.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Wed Apr 25, 2018 11:58 am

brian wrote:Can we please make one thing absolutely clear for anyone coming across this post. The joomla admin is NOT wide open. The only reproducable issue on this one site is that someone who has logged in may be able to access the admin without logging in again when using the exact same computer and web browser
That is correct.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26111
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Backend wide open

Post by Per Yngve Berg » Wed Apr 25, 2018 3:30 pm

You can change the php temp folder in php.ini.

dottedhippo
Joomla! Intern
Joomla! Intern
Posts: 75
Joined: Wed Aug 29, 2012 7:41 pm

Re: Backend wide open

Post by dottedhippo » Thu May 10, 2018 1:24 pm

It appears to have been solved after an update of Chrome.

I think it did not handle its cookies appropriately.

-sigh of relief- :D


Locked

Return to “Joomla! 3.x on IIS webserver”