Show module positions of any Joomla! website?

Written by Peter Martin Wednesday, 17 September 2008

You would like to put some Module at your site but don't know where to put it.... Or "Nice site, is it Joomla! ?"... Or "How did they use some area at that Joomla! site? Is it a Module?"... You can easily find out yourself, without being logged in! 

Add the parameter ?tp=1 behind the URL, e.g. http://www.joomla.org/?tp=1
The following parameters can be used: 0=normal, 1=horiz, -1=no wrapper.

 

Technical background: In Joomla 1.0.15 this functionality is called "function mosLoadModules" and can be found in /includes/frontend.php (Joomla 1.0.15: line 122).

185 Votes

6 Comments

Feed

  1. avatar jimwelchok makes this comment

    2008-09-22 16:34:33

    Could this be considered a SECURITY breach?
    Or at least, a confidential breach?

  2. avatar Chad makes this comment

    2008-10-03 20:03:05

    Not really. It doesn't give you any more information than a tool like FireBug would.

  3. avatar dparker makes this comment

    2008-10-15 20:36:29

    I think the potential security breach is in letting anyone be able to dertermine you are using Joomla! With a custom template and the right set of extensions I can general not give away what I'm using to power the website to most observers.

    This means that anyone in the world (and their scripts?) can walk up to my website and say "please tell me if you are being powered by Joomla!, so that I can start hammering you with all known vulnerabilities and security holes."

  4. avatar Don makes this comment

    2009-05-15 21:47:20

    Is that any harder than going to a site and adding /administrator to the domain? People are much less likely to know to add tp=1 to the domain than "administrator"

  5. avatar casey becking makes this comment

    2009-07-09 22:16:44

    just be smarter than the code

    /*if ($tp) {
echo '<div style="height:50px;background-color:#eee;margin:2px;padding:10px;border:1px solid #f00;color:#700;">';
echo $position;
echo '</div>';
return;
*/}

  6. avatar Mark Matsusaki makes this comment

    2009-09-10 15:45:58

    I agree with Chad - there are tons of ways you could find out what a site is powered by with or without the /?tp=1 switch.

    Simply looking at the source code could tell you much more than this option.

    Bottom line it is not a security hole.

Add Comment


    • >:o
    • :-[
    • :'(
    • :-(
    • :-D
    • :-*
    • :-)
    • :P
    • :\
    • 8-)
    • ;-)

     
    ©2005-2009 Open Source Matters, Inc. All rights reserved.    Joomla Hosting by Rochen Ltd.    Empowered by JXtended    Accessibility Statement    Privacy Policy    Log in