Support

Admin Tools

#10939 How to read Security Exceptions Log

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 14 February 2012 15:06 CST

Thursday, 02 February 2012 13:38 CST

brainynl
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.1
PHP version: 5.2.17
MySQL version: 4.1.20
Host: (webreus.nl)
Admin Tools version: (2.2.a3)

Description of my issue:

In my Security Exceptions logs of 1 site I se a lot of lines with:

template= in URL http://www.notarisweggemans.nl/component/mailto/?tmpl=component&template=architekt_v1&link=67f6d5d667ad1372f35a0eb228cca74eb57a1840

Lots of different IP numbers.

How can I find out what someone is doing? What makes someone make these urls? Where do they want to go on this site or is this a attack?
 Best regards, Hein
brainy.nl

Thursday, 02 February 2012 14:04 CST

nicholas
Hello Hein,

I trust you didn't check the documentation first, right? This is already answered in the Configure WAF documentation page, right below the "Allow site templates" header:
...When you do that, several core components –including com_mailto, powering the "send this page by email" icon in your articles– have to append template=yourDefaultTemplateName to the URL. This would cause your site to throw security exceptions whenever a legitimate visitor would, for example, try to send an article by email to a friend of his. By enabling this option you prevent this security exception from being raised.

I have discovered that com_content may be adding the template parameter to com_mailto URLs even when you only have one active template on your site, if you're using Joomla! 1.7 or later. I would like your feedback on that. Have you enabled multiple templates or is it really com_content doing that template stuff by default?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 02 February 2012 15:44 CST

brainynl
I did read that section, but in first it didn't made sense to me. Now a bit more. I am using just one template in the front end and one in the backend.
This morning I recieved from 1 IP adres 5 of these attempts and that IP adres got blocked. It was a IP in the states and the site is in Dutch. So I still think it is a kind of attack.
When I test the 'send article by email' I see indeed this in the URL:
http://www.notarisweggemans.nl/component/mailto/?tmpl=component&template=architekt_v1&link=891ef76f46******************7b8434a6da92ac0
For safety I put *** in the string.... ;)
And now I see I also got a warning. I must have tested send by email before I used AkeebaPRO...
So yes I only use 1 template with Joomla 2.5.1 and all your stuff up to date 'of course'
 Best regards, Hein
brainy.nl

Thursday, 02 February 2012 15:58 CST

nicholas
No, it's not an attack. Joomla! is putting the template parameter in the URLs of com_email. Unfortunately, you will have to select the option to allow site templates. There is no other workaround :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 14 February 2012 13:31 CST

brainynl
Okay, it's been a while, because I was monitoring the amount of warnings. Now I know it's debit to the crawler of Google and now and then someone who send an e-mail. When it's an Dutch IP for just one warning i know it's OK. But when there are more warnings from one IP I other then the Netherlands I know someone i messing up.
Thanks for your comments on this.
 Best regards, Hein
brainy.nl

Tuesday, 14 February 2012 14:33 CST

nicholas
You're welcome!

Off-topic: where does your username come from? I hope you don't mind asking, but "Notis" is actually a greek name and I can't see a relation between it, the Greek connotation (which you most likely ignore), your real name or your site. It got me curious :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 14 February 2012 14:54 CST

brainynl
Whoel story short;
My name is Hein, but my own website goes by Brainy.nl thats why you also can know me as brainynl.
Notis is the company name where I work. We make notary software. (we are full service, so I make also the websites for clients)

NOtary Information Software... thats the Notis,

I am sorry no Greek association, but it's nice you are Greek, to make it more complicated... my wife is from Macedonia.
So I love you all, it makes me a bit more special because I'm just a Dutch guy... ha ha!
 Best regards, Hein
brainy.nl

Tuesday, 14 February 2012 15:06 CST

nicholas
Ha ha! It makes sense! Sorry for having to ask, I just got very curious :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!