Joomla Xplorer Security Issue Identified and Solved

January 20th, 2007

I host a number of sites from the one server, and recently I have discovered that the joomla component JoomlaXplorer gives my clients unlimited access to my entire webroot, not just their account.

I spent a bit of time looking around for a solution, and, I’m pleased to say, I’ve found one!

Thanks to theQ (at Jumba Hosting Forum) who contributed a solution to the problem whereby JoomlaXplorer gives root access to users on shared hosts.

Modify the following lines in the file {site root directory}/administrator/components/com_joomlaxplorer/.config/conf.php:-

 else {
                $GLOBALS["home_dir"] = $dir_above;
                // the url corresponding with the home directory: (no trailing ‘/’)
                $GLOBALS["home_url"] = substr( $mosConfig_live_site, 0, strrpos($mosConfig_live_site, ‘/’));
        }

to the following…

 else {
                $GLOBALS["home_dir"] =  $mosConfig_absolute_path;
                // the url corresponding with the home directory: (no trailing ‘/’)
                $GLOBALS["home_url"] =  $mosConfig_live_site;
        }

This will fix the security hole with JoomlaXPlorer, and allow users only to access folders in their own joomla installation, allthough you should also chown and chmod the conf.php file to an administrator account to prevent users from modifying it.

All comments / replies / alternative answers are appreciated either here or at the Jaisaben Joomla Problems Forum

Cheers,

M

Alternative Questions:
Why Does JoomlaExplorer show web server root?
JoomlaXplorer shows web server root
Does JoomlaXPlorer have a security hole with shared servers?

 

Digg!

Entry Filed under: Joomla

If you found this page useful, consider linking to it.
Simply copy and paste the code below into your web site (Ctrl+C to copy)
It will look like this: Joomla Xplorer Security Issue Identified and Solved

6 Comments Add your own

  • 1. magdalena  |  November 13th, 2007 at 10:30 pm

    Many thanks for this solution!! It helped me a lot.

  • 2. Jack  |  April 17th, 2008 at 1:59 pm

    What if the users install another instance of the JoomlaXplorer component?

    If JoomlaXplorer lets the users get access to the root directory, any malicious component could also get access as well.

    Does this mean, not giving them access to the Joomla Administrator account? Just giving them author or editor rights…

  • 3. joomla tutorial  |  June 8th, 2008 at 9:21 pm

    Thanks for the tip, will work wonders for my joomla tutorial service

  • 4. nvthoan  |  July 11th, 2008 at 7:42 pm

    Hi,

    I still have this security problem with JoomlaExplorer.
    Have you found any solution to limit other access htdocs’s other directories.

    TKS

    NV.Thoan

  • 5. NQ. Trung  |  August 18th, 2008 at 8:21 pm

    Hi!
    I think, this solution only prevent user in a website can not access root directoy. But, if my server hosted for some website, and they have own admin account, so it’s very dangerous if they install another themself on their website and access to others in htdocs.
    So, I need a solution to prevent them install or I can control their install JoomlaXplorer component.
    Thanks!

  • 6. Radek  |  August 27th, 2009 at 4:13 pm

    Hi. This patch solve nothing. If I can acces to /administrator/components/com_joomlaxplorer/.config/conf.php with JoomlaXplorer, I can chage modified file conf.php to original conf.php and will get acces to webroot again!

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Featured Advertiser

Buy me a beer!

This sure is thirsty work - Here's your chance to buy me a beer :)

Links

Feeds

Posts by Month