/media/com_komento/xxx .json files are not secure
By cavo789 on Friday, 29 August 2014
Posted in Technical Issues
Replies 5
Likes 0
Views 1K
Votes 0
Hi,

I'm really concerned by the security of my website and I've detect that json files in /media/com_komento give too much informations (Joomla version, Komento version and other things). These files are not secured because it's possible to get accessed to them; just by accessing to http://thesite/media/com_komento/config/xxx.json.

I agree that the filename is quite complicult but, for my point of view, it's not enough. Versions numbers are sensitive data and should not be publicly available.

Can you give advices ?

Thanks.
Hello cavo789,

Sorry for late reply to this,
What my suggestion is you can consult with your Webhosting provider about the file permission regarding this http://thesite/media/com_komento/config/xxx.json

which Chmod permission you set should meet your requirement, so the public user will not have the permission to access this file.

Hope this help.
Arlex Wong
·
Friday, 29 August 2014 19:00
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi. Thanks for your intervention (I can't say "answer" since it's not).

Very strange answer since Komento create this file so Komento need to secure this file. If I put a .htaccess file in my folder to refuse access to .json file, what about Komento ? If you create the file, there is a reason I presume. If I block access to the file, Komento will still continue to works ? If suppose not : if the file is there, you need it no ?

Why put versions infos ? I can understand for the configuration option but why Joomla & Komento versions ?

At this stage, I've removed Komento from my site. For that reason and the number of lines in my Apache logfile (41% of my log entries are Komento; there is still an opened ticket for this topic). You've a great tool; really, but the added value; for me and for my site, is really poor so I prefer to remove it.

Thanks for your intervention and for your work.

Christophe
cavo789
·
Friday, 29 August 2014 20:33
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello,

It's actually pretty easy to find out the information of your Joomla site even if there are no .json files Furthermore, there is no way one can guess the hash for the file name
Mark
·
Friday, 29 August 2014 23:30
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello

>It's actually pretty easy to find out the information of your Joomla site even if there are no .json files

Except if are closing these doors ;-)

I kill files like joomla.xml manifest, readme.md, changelog, install.php, ...; protect my /administrator (IP white list), deny access to .ini files, and other things like that. I try to close as many door as possible.

>Furthermore, there is no way one can guess the hash for the file name

What if someone display my webpage with his browser's debugger enabled. He'll see every ressources requested by the page in his "Network" tab. Every ressources like images, css, javascript and json file. He should not guess the filename, the network tab will list the call

I repeat : your tools are GREAT, really. No doubt on this.

For my website, the blog section is really limited and I receive very few comments on it so, I prefer to remove Komento. Because I don't really need this type of tool.

I would recommand to remove any version number in your json file.

Have a nice day.
cavo789
·
Sunday, 31 August 2014 23:44
·
0 Likes
·
0 Votes
·
0 Comments
·
Unfortunately there's no way to remove this currently as they are required
Mark
·
Monday, 01 September 2014 11:11
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post