Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
  • prophoto Friend

    I have a couple of sites with 2.5.9 and Joomla 3.8.2 that never finish when I click "Update S3 File List". I don’t see any errors in the apache log nor any javascript errors. I can’t give backend access, the client won’t allow it. Can you give me some troubleshooting steps to figure out whats going on?

    prophoto Friend

    I was just looking through my server logs and see 30000 hits to this url over the last 24 hours. I had let the update run since it was taking a while hoping it would complete but it never did.


    Mo0nlight Moderator


    Kindly share the URL and admin login info so I can check for you.

    prophoto Friend

    As stated in OP I cannot do that.

    prophoto Friend


    Mo0nlight Moderator
    This reply has been marked as private.
    mobri2a Friend

    Please do not ever post your keys in a public forum. I strongly advise that you rotate and delete that key immediately, and since you are the moderator, delete the post with your account ID.

    I tried out this extension yesterday. I found some very concerning issues:

    1) It appears that it requires S3 admin access to the entire account

    2) It uses accesskey and secretkey stored on the web server. Are they encrypted? How are they protected?

    3) UI asks for account number. You do not need it. This is also a dangerous practice. (it is not a required field, but this is not clear. Call it something else and let users know not to put their actual account number here)

    4) There is no provision for using EC2 roles instead of keys

    5) With a modest number of buckets, the sync process kills my (t2.micro) instance EVERY TIME.

    What I recommend changing:

    • Drop the functionality for creating, deleting buckets. You don’t need it and I’m not comfortable enough with Joomla security to open S3 access to the degree required by the current extension.
    • At the very least, make it so that the user can specify an IAM credential with access to a specific bucket/key. You don’t need bucket access. You need access to a key within a bucket. Great ideas, but descope, increase security.
    • Enable use of EC2 roles for those of us running on AWS
    • Store the access keys encrypted when you have to use them at all.
    • Revisit the sync process so it doesn’t kill small servers
    • This reply was modified 1 year, 5 months ago by  mobri2a.
    Saguaros Moderator

    Hi @mobri2a,

    Many of our users use this component and there is not any report for the security issue yet, pls don’t worry. Your idea is great, we appreciate that. I will share with the team for further consideration.


Viewing 8 posts - 1 through 8 (of 8 total)

This topic contains 7 replies, has 4 voices, and was last updated by  Saguaros 1 year, 5 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum