Support

Admin Tools

#10041 CSRF Shield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 03 October 2011 14:08 CDT

earthrat
I am wondering if I am blocking the new search feature I have installed? I am using the ROkAjaxSearch and am getting a CSRF Shield block on what appears to be this search tool. Can you tell me if I am seeing this correctly and if so what do I need to do to not block this tool?

Here is the page that is being blocked:

http://www.colormatters.com/index.php?type=raw&option=com_search&view=search&searchphrase=any&ordering=newest&limit=10&searchword=hff&tmpl=component&r=1317090915587

earthrat
I have confirmed that in fact the CSRF/Anti-spam form protection (CSRFShield) is causing anyone who uses the RokAjaxSearch tool to be blocked from the site. I have turned it off for now in hopes that I can learn a solution to fix this.

nicholas
Akeeba Staff
Manager
This happens because RokAjaxSearch is doing a POST instead of a GET (it doesn't modify information, it should do a GET) and it skips fields from the form. In CSRFShield we are injecting an invisible "honeypot" text field. If a robot is filling in the form, this contains data and the spambot is blocked. We only perform this check on POST, PUT and DELETE requests, i.e. data modification requests. So, IMHO, RokAjaxSearch is in the wrong, as it misuses the request type. In this case, the only workaround is to turn off the CSRFShield.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

slaes
im feed up with the same, POST where should be GET, im over it.

what is wrong with ppl! instead of RokAjaxSearch it should be RokInHead!

earthrat
I am with you Slaes and I dont GET it either. Nico, I thought the search tool on this site was RokInTheHead?

slaes
lol hard!

i might start seo'ing "RokInTheHead" maybe we can start a FAD, its got a ring to it ;)

nicholas
Akeeba Staff
Manager
Yeah, the search box is that terrible RokInTheHead crap, but it's on its way out. I just didn't have any time to give it a shot in the head and a proper burial yet :D

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
LOL, that's why I used it because it was catchy..;) Naw, I Googled it but only got some funky band.

That's to bad that it does not work though, I really like how it functions. So there is no work around to make this tool work other than tell the dev to use GET? I will do some digging on this and see if it can be modified.

If you know of a better search tool please share with us. Joomla search has always been hit and miss with my projects and I thought with this tool I had finally found one that fit well but if it makes me vent security it must go...;(

nicholas
Akeeba Staff
Manager
I will take a look at Anything Digital's Advanced Search. It promises to be much better than plain ol' Joomla! search. Another thought is waiting for Joomla! 2.5 which will include a rewritten version of JXtended Finder. Both solutions are proper, indexed search engines, not a semi-chaotic collection of plugins which will return results which may or may not have anything to do with your search terms.

Did I mention that Joomla! has a real issue with searching stuff? I found that searching on Google with site:akeebabackup.com always yields infinitely better results than Joomla!'s own search. He he!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
Thanks Nico, I wish waiting was an option and that feature sounds great (can't wait!). I took a look at that search tool and it looks good but I hate to add more cost to this project. Please let us know what you think of this tool. I value your opinion and have never been sent down a blind path with your suggestions...;)

earthrat
Between JXtended Finder and Anything Digital which would you say is the best way to go? Is JXtended Finder what you are using on this site now?

nicholas
Akeeba Staff
Manager
Right now I'm not using anything. Since Finder is going to be implemented in Joomla! 2.5 (scheduled for January 2012, just three months out) I wouldn't spend any money on it and simply wait. If it doesn't work very well, I will certainly evaluate Anything Digital's solution.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
Thanks Nic, I must have coughed and ended up purchasing the Anything Digital tool. Now I am in a holding pattern because it will not install and throws a weird error I have never seen before.

"HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request."

Found someone else with this problem so waiting to hear back about what it might be. Not the first time I have had issues with an extension from these guys though so not unexpected...;)

earthrat
Well if you are running 1.7 don't waste your time. The extension is not ready for it yet. You would think that all the top developers would already be on board with the new version by now!

nicholas
Akeeba Staff
Manager
Aw, snap! Really? JX Finder is also not ready for 1.7 (it's 1.5 only). All the work being done on it for integration with Joomla! 2.5 is basically rewriting it to be compatible with post-1.6 Joomla!. So, we're kinda stuck :s

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
LOL, yea this really sucks big time. This site I have been working on for 18 months just went live and it is a very high profile site and search is at its core. Without that I am basically screwed and I am mad at these developers for not offering updated versions but I am even more ticked that the integrated search for Joomla sucks and has always been a thorn in my backside!

slaes
Dude,

Ive been working on this site with literally millions of juicy listings and after literally S*IT loads of research, i decided on lucene solr. At this point im just testing, but all i can say is WOW! Maybe worth a look.

http://lucene.apache.org/solr/

earthrat
WOW, this does look awesome! Did you see the extension for Joomla?

http://www.solrhq.com/solrhq-for-cms/joomla-extension-for-solr-and-solrhq/

earthrat
Thanks Slaes but after reading more on this I don't think it is viable for my needs and I would not try to install this on a production server with 200 websites. I will setup a testing server and give this a go and maybe sell this services...;)

slaes
its definitely best to familiarise yourself with it before trying to roll it out. were using it with apache nutch and so far im pretty much blown away by its performance. its requires some pretty intimate knowledge and testing time, but well worth it. my 2 cents

earthrat
Thanks for sharing this, I am for sure going to be testing it. If you have any more details on this please share them with me. You can email me at kevin at nwidesigns dot com...;)

earthrat
In regard to the Advanced Search tool I am getting help from the developer now and it appears that this is an issue with Joomla 1.6 that apparently has followed this site to its current state.

The beta of this extension proves this bug is still part of Joomla and gave me the infamous cannot create admin menus warning. I am gonna be really ticked if I have to rebuild this site on a fresh copy!

Anyway I stand corrected and the search tool does work on Joomla 1.7 (just not from a 1.6 upgrade).

nicholas
Akeeba Staff
Manager
That infamous bug can be worked around. Take a look at Akeeba Backup's installation troubleshooting. See the first section, titled "Joomla! 1.6 installation problems". Follow them, substituting com_akeeba with your component's name. If you try it a couple of times, it WILL work.

Experience says this: the first you do that, you'll see that you have some other kind of issue, e.g. an unwritable path. Fix the problem, do the db delete operations again, retry. You might stumble into yet another problem. Repeat this procedure until you fix all of the real problems and the extension installs.

BTW, I did make a patch to work around that. It was rejected. On all fairness, it was a very crude way of doing that, but at least it was a working workaround for the failed cleanup upon an error during a component's installation which triggered this bug. We'll just have to wait for a proper solution. Oh, well... :p

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
You truly are a Greek God!

I followed your tutorial and fixed this in short order and now I can test the power of Advanced Search...;)

Thanks Nic, you are the best!!

nicholas
Akeeba Staff
Manager
Woot! Jeff from Anything Digital's support was just on Twitter and he confirmed the fix too. He'll be reusing my installer magic to make sure these issues will be a thing of the past ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

earthrat
Yes, he messaged me and is really happy for your help on this. You truly are a CODE PIMP!!! ROFLMAO!

nicholas
Akeeba Staff
Manager
LoL! Well, I'm glad it's all working now :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!