Support

Admin Tools

#10158 security exceptions "trigged" by email buttons - solution

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 17 December 2011 16:49 CST

Thursday, 15 December 2011 14:21 CST

user53260
I've got a lot of security warnings trigged by "template= in URL" rule. Finally all IPs have been blocked by Admin Tools. When I checked the IPs they appeared to belong to 3 search bots, including Google.

So, I checked my page and found that URLs of all my "send to friend" email icons look like 
/component/mailto/?tmpl=component&template=my_template&link=6ab59eedd404da85e00b2e568b986b8bbe7b28ea


It seems that "&template=my_template" is the bad guy here :)

So, in my robots.txt I added
# Do not index email to friend button
Disallow: /component/mailto/*
Disallow: /index.php?option=com_mailto*


Moreover, I changed 
<?php echo JHtml::_('icon.email',  $this->item, $params); ?>

to 
<?php echo JHtml::_('icon.email',  $this->item, $params, array('rel' => 'nofollow')); ?>
in my all files from /templates/my_template/html/com_content/ folder.

It's funny but tag rel="nofollow" is added by default by Joomla core code to the print button, but not to the email one.

Hope all I did is correct :)

Thursday, 15 December 2011 14:47 CST

nicholas
All you have to do is to check the "Allow site templates" checkbox, as mentioned in our documentation:

Enabling this option partially overrides the previous option (the blocking of template=foo in the URL). If the template= URL query parameter specifies the name of a template which exists in your template directory, then it will be allowed without raising a security exception. This is required only on sites which are using more than one template at the same time. What we mean by that is that you can go to Joomla!'s back-end, go to Extensions, Templates and assign any of the installed templates to any number of menu items. When you do that, several core components –including com_mailto, powering the "send this page by email" icon in your articles– have to append template=yourDefaultTemplateName to the URL. This would cause your site to throw security exceptions whenever a legitimate visitor would, for example, try to send an article by email to a friend of his. By enabling this option you prevent this security exception from being raised.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 17 December 2011 16:27 CST

user53260
Thanks! It worked (either mine fixes or your suggestion, or both). In any case, my post also referred to SEO, as Joomla seems not to care about it too much :)

Saturday, 17 December 2011 16:49 CST

nicholas
I know that my workaround works. I've been able to replicate that many times. And yes, Joomla!'s SEO sucks. The email and print buttons' URLs should not be indexed by search engines (among other things, it's duplicate content).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!