I was repeatedly locked out of our site's backend by Admin Tools from AkeebaBackup with the reason: Admin Query String. Their response to my report follows. What can you advise?
The URL tells me everything I need. If you visit it with your browser's developer tools turned on you will see that there is a plugin written by someone ... trying to do call these URLs:
I suppose that "arkbootstrap" and "arktypography" come both from Ark Editor.
Please contact the developers of Ark Editor and explain to them the following:
- com_ajax is a front-end only component. They MUST NOT try to call it in the back-end.
- JUri::base() returns the base URL of the current Joomla application. The frontend and backend of Joomla! are two different applications with different URLs. Their code MUST anticipate that if it's supposed to be executed in both applications.
- Plugins like that MUST NOT run in the administrator login page. The check to ensure so is less than 60 characters long...
These are very basic things any Joomla developer at the level required to write an editor must know. I would like to give them the benefit of the doubt and say these were unfortunate mishaps but I see too many failures in asserting basic Joomla integration and glaring omissions in testing, not in some borderline condition but in the main way the editor is expected to be used! My advice is to not use that editor. When I see so much smoke I expect to see a (security) firestorm in the not so distant future.
- Server type
- Web server type
- ARK product version
- Joomla! version
- PHP Version
- Web browser
- Errors log
- Reason: Admin Query String
- Steps to replicate the issue
- Have backend open at log in screen, e.g. coffee break, but do not log in. Result: locked out!