Every few months, we get a request to execute a Joomla administrator view from a cron job. For example, a recent request consisted of running an administrator view from a cron job in order to grab data from other sites and save them into the Joomla website. Now, if you have dealt with cron jobs before, you will probably immediately answer that it’s possible, but (as always), there is a catch: How will you run the administrator view without logging in? If you can do that, then there is a major security exploit in Joomla that must be addressed immediately, but you can’t, at least not before reading this post!
So, how do we do run a Joomla administrator view from a cron job at itoctopus?
Well, we do it the following way:
- We login to the backend of the Joomla website and then we create a super user called admincron with a random password.
-
We leverage the power of the defines.php file – that is also loaded by the index.php file located under the administrator folder to do the following:
-
Temporarily disable any security plugins (such as AdminTools, RS Firewall, etc…) by renaming the plugin’s folder to a different name.
-
Load the Joomla environment.
-
Login the user admincron to the Joomla backend.
-
Execute the view.
-
Halt further execution of the script.
-
-
We create the cron job to execute the administrator view.
Here’s the code that we add to the defines.php file:
<?php
$hash = $_GET['hash'];
if ($hash == 'averystronghash'){
// Optional: Disable any firewall plugin by renaming its folder to *_old
rename('../plugins/system/firewallplugin', '../plugins/system/firewallyplugin_old');
//Load the Joomla environment
if (!defined('_JDEFINES'))
{
define('JPATH_BASE', __DIR__);
require_once JPATH_BASE . '/includes/defines.php';
}
require_once JPATH_BASE . '/includes/framework.php';
require_once JPATH_BASE . '/includes/helper.php';
require_once JPATH_BASE . '/includes/toolbar.php';
$app = JFactory::getApplication('administrator');
// Login the "admincron" user to the Joomla backend
$credentials = array();
$credentials['username'] = 'admincron';
$credentials['password'] = '[password]';
$app->login($credentials);
$app->execute();
// Optional: Re-enable any firewall plugin that was disabled at the beginning of the script
rename('../plugins/system/firewallplugin', '../plugins/system/firewallplugin');
// Halt further execution of the script
die();
}
?>
Once you add the above defines.php file, you will be able to load any administrator view on your Joomla website without explicitly logging in. You will also be able to load any administrator view from the cron, by simply adding the following task to your cron job:
/usr/bin/wget "http://www.[yourjoomlawebsite].com/administrator/index.php?option=com_[yourcomponent]&view=[yourview]&hash=averystronghash"
Aren’t there any security implications for doing the above?
Not as long as you are using a very strong hash. Otherwise, you will risk allowing anyone who knows the link (in the cron task above) to login as super user to your Joomla website.
We hope you found this post informative and useful. If you have any questions about it, or if you need help with the implementation, then please contact us. We are always excited for working with new clients and our fees are very affordable!