Support

Admin Tools

#10040 issue after last upgrade with jomfish

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by happythorntons on Thursday, 29 September 2011 15:48 CDT

Tuesday, 27 September 2011 07:45 CDT

french150
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? No
Joomla! version: 1.5.23
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: last


Description of my issue: today i upgrade admin tools professional to last version, once i did it i get this problem only when i logged in to the site. If i choose english language (by multilanguage selector jomfish module) the page is showen correctly in english language. If i click on spanish flag i get 404 error. If i install the 2.16 version of admin tool all works fine.
Why?

Tuesday, 27 September 2011 07:55 CDT

nicholas
Can not replicate. Joomla! 1.5.23, Admin Tools 2.1.8, JoomFish 2.0.3. First, make sure that the System - Admin Tools plugin is published before any and ALL system plugins on your site. If you are using the .htaccess Maker, please try going to the .htaccess Maker and clicking on the "Save and create .htaccess" button.

If the problem persists, please give me an example of a working and a non-working URL, as well as attach a screenshot of the exact 404 error page you are receiving on your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 08:20 CDT

french150
If i save and create htaccess i get error 500 server.
Plugin is published almost the first on system list, because i have to published first other system plugin of an ACL component to avoid other problem. This was been already tested with precendent admin tool version and it worked fine.

Tuesday, 27 September 2011 08:22 CDT

nicholas
I found out what the problem was, even though I was unable to replicate it locally. The system plugin in 2.1.7 and 2.1.8 parses the URL before applying exceptions. It seems that under some circumstances this doesn't work and makes Joomla! believe there is a 404 error. I have now found a workaround to this problem (tested on another affected site) and will release version 2.1.9 today.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 08:28 CDT

french150
Okay, thanks. So for now i installe 2.1.7 or 2.1.6 version?

Tuesday, 27 September 2011 08:33 CDT

nicholas
Wait 20 minutes and you'll be able to install 2.1.9

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 09:11 CDT

french150
Hello. I installed last 2.1.9 version already but the issue continue. Please consider that i deleted browser and joomla cache. Could you check on my site please?
Thanks

Tuesday, 27 September 2011 09:13 CDT

nicholas
Sure. Just send me a PM with your site login information and FTP connection details. Use the Personal Messages link on the right-hand box. I am user Nicholas.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 09:23 CDT

french150
I sent you now.
Thanks

Tuesday, 27 September 2011 09:27 CDT

nicholas
It looks like I have to roll back the entire WAF exceptions feature. Please check out the dev releases tomorrow.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 09:30 CDT

french150
So i install 2.1.6 version for now?

Tuesday, 27 September 2011 09:31 CDT

nicholas
Yes.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 10:49 CDT

french150
Hello. I noticed that you released the 2.1.10 version. This fix this issue?
Thanks

Tuesday, 27 September 2011 11:30 CDT

nicholas
Yes, it should. I have removed the entire feature (WAF Exceptions) which was causing the problems).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 27 September 2011 11:37 CDT

french150
So you'll release shortly new version with new WAF exceptions, correct?
Maybe that it's better stay with 2.1.6 version? What do you suggest?
Thanks

Tuesday, 27 September 2011 11:41 CDT

nicholas
No, WAF Exceptions are gone for good. They suffered from Catch-22. Here's the deal. In order to apply the exceptions, you need to know which component and view is currently running. In order to do that, you need to run the router. But if the router runs before you scan for XSS and SQL injections, your site is vulnerable. Moreover, you can't reliably (as I found out the hard way...) run the router BEFORE its plugin fires - hell breaks loose. So, there you have it. That feature's gone. There's no point in supporting a feature which either doesn't work, crashes the site or diminishes the security of your site. It's pointless. And it's removed. So go with 2.1.10.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 September 2011 08:50 CDT

happythorntons
Hi Nicholas,

Thanks for the update. So, for those who have needed the WAF Exceptions to allow components to work, what is the best way forward?

Can we achieve this in another way without compromising our site security?

Many thanks!

Thursday, 29 September 2011 11:28 CDT

nicholas
The WAF Exceptions never really worked, so I don't anticipate any issues. I removed a non-working feature which could only cause problems and solve none.

If I see that people do need to add exceptions, I might do it the cheesy way, i.e. filtering by URL and not by component. I say "cheesy" because a component may be accessed as index.php?option=com_foobar (non-SEF), index.php/component/foobar (SEF without mod_rewrite), /component/foobar (SEF with mod_rewrite), index.php/menu_alias_to_foobar (menu with SEF, without mod_rewrite), /menu_alias_foobar (menu with SEF, with mod_rewrite), with or without a .html suffix. That's at least nine different URLs to get you to the same page. So, it's perfectly possible that using URLs to determine exceptions will not work. Having the Admin Tools system plugin run after the SEF router (which could solve the problem) exposes the system to a series of nasty SQL injection and XSS potential vulnerabilities in the router logic itself. Any way you look at it, it's a lost battle until Joomla! implements a proper Unified Content Model (UCM) like Drupal.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 September 2011 15:48 CDT

happythorntons
Thanks Nicholas for the explanation, it is very much appreciated.

I currently have a component being blocked by the WAF, so am trying to find a way around it, and the WAF Exceptions aren't working for me (I'd assumed it was because I hadn't configured something correctly).

I'll check the forums again to see if I can find a solution.

Many thanks again!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!