Support

Admin Tools

#11503 Secret URL parameter = security exception

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 11 March 2012 04:11 CDT

Friday, 09 March 2012 12:53 CST

user774
This seems to be a problem with other security extensions I've used in the past too -- using a secret admin URL parameter can get picked off by a firewall, and this is exactly what happens if you use the secret URL and WAF in Admin Tools.

What is the best way to work around this, without taking away the secret URL or WAF filtering on the admin login?

The method I usually use is not ideal -- whitelisting administrators. Some ISPs that assign IPs dynamicaly change them considerably -- and often.

Is there some way to whitelist the secret URL or its parameter? Can this be done with a WAF exception?

From the documentaton, my understanding is that you can exclude a query parameter for "password." However, instead of just acting on the backend login form, this will stop the firewall from acting on *any* password parameter submitted by *any* form that has one. Is that correct?

Ideally I'd like to block to WAF from filtering any login attempt on the backend login form if the correct secret URL parameter is used.

Friday, 09 March 2012 14:13 CST

nicholas
I really do not understand what firewall you are talking about. Do you mean your server's firewall, i.e. mod_security? if this is the case, it's a server configuration issue, not a WAF issue.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 March 2012 14:48 CST

user774
Sorry, I was talking about the WAF, but it occurs to me that it may be Bad Behavior that doesn't like the "secret URL" parameter. I've used a couple of "firewalls"/bad query filters before that often trip over /administrator?xyzabc ... my assumption has been WAF is doing the same thing.

Saturday, 10 March 2012 03:19 CST

nicholas
Normally it shouldn't. something like that has never been rented and this feature is available for over 18 months. Statistically speaking, it's very unlikely that something like that happens. in any case, when WAF blocks something, it adds an entry to the Security Exceptions Log. If you've also set up an email address to be notified on security exceptions, you'll be receiving an email as well. in absence of both, any kind of back-end block doesn't come from WAF. Very strict mod_security settings can, however, block the request. Finally, if you have non alphanumeric characters in your secret word, please note that you have to URL escape them when using the secret word, as per our documentation instructions.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 10 March 2012 14:37 CST

user774
This is exactly what happens -- anyone browsing to the backend login form show up in the exception log for "admin query string" (which triggers the email notification) and eventually they get blocked.

I had this happening recently on two different hosts using the latest stable release of Admin Tools, and once it even blocked an IP on the exception whitelist and configuraton settings whitelists. Normally this does not happen.

Both of these sites are now using the latest developer release because I was getting an error screen when I tried to open WAF Exceptions in the stable release. This problem is absent in the developer release, and the WAF seems to be working properly too, except now WAF completely fails to require the secret URL parameter on one of these two sites. (I am guessing this may be due to this site using Cloudflare, since the WAF blocking seems to interact poorly with it. When WAF blocks a request, CloudFlare seems to keep waiting for a result and will display its own "site down" screen after a while.)

In sum:
  • Version 2.2.0 - Admin query string of any type creates an exception, unless the user is whitelisted. (But occasionally the whitelist seems to fail.)
  • Version revAD022B1 - Secret URL parameter is ignored, possibly due to Cloudflare.


System1 info:
Host: Media Temple Grid Service (it's crap)
PHP Built on: Linux n21 3.2.6mtv10 #1 SMP Thu Mar 1 07:38:49 PST 2012 x86_64
Database Version: 5.1.55-rel12.6
Database Collation: utf8_general_ci
PHP Version: 5.3.10
Web Server: Apache/2.0.54
Web Server to PHP interface: cgi-fcgi
Joomla! Version: Joomla! 1.5.25 Stable [ senu takaa ama mamni ] 14-November-2011 18:00 GMT
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

System2 info:
Host: Site5 reseller shared hosting
PHP Built on: Linux r5-chicago.webserversystems.com 2.6.32.46-grsec #1 SMP Thu Sep 1 14:04:36 BST 2011 x86_64
Database Version: 5.0.92-50-log
Database Collation: utf8_general_ci
PHP Version: 5.2.17
Web Server: Apache
Web Server to PHP interface: cgi
Joomla! Version: Joomla! 1.5.25 Stable [ senu takaa ama mamni ] 14-November-2011 18:00 GMT
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Saturday, 10 March 2012 14:59 CST

nicholas
Your Joomla! Administrator pages should NEVER be behind a CDN. If you think about, you'll realize that it's not only pointless, it's dead wrong and will only cause problems. I can not support this kind of wrong setup, sorry.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 10 March 2012 16:32 CST

user774
As I said, Cloudflare was only used on one of the affected sites, and it is not in use at the present time on either. This doesn't seem to change anything.

Cloudflare is not a CDN. It gets called a CDN because more people know what that is. Technically Cloudflare is a caching reverse proxy (http://blog.cloudflare.com/what-is-cloudflare), but that may actually make it more problematic in combination with a CMS. Why do you say it shouldn;t be used? I've had minor problems with it using Wordpress; less so with Joomla. Cloudflare supports its use with both applications, and it seems wildly popular with WP.

Sunday, 11 March 2012 04:11 CDT

nicholas
I know exactly how CloudFlare works. Even if I didn't, I am fully competent in using Google ;) CloudFlare is a typical pull CDN. All pull CDNs (the most common form of CDNs by the way) work as reverse proxies. Essentially, they take the request and will either show a cached page or proxy it to your site. Problem: the way Joomla! cookies are set do not guarantee that they will be passed along when the pull CDN transfers the request back to Joomla!. No cookie = no session = you get blocked.

So, to cut a long story short: I know how a CDN like CloudFlare works and I know why it is a bad idea to have it in front of your administrator area (note: I said NOTHING about the front-end; you can use it with your front-end, BUT NOT YOUR BACK-END).

And that's why when you come and tell me that you are using a pull CDN in front of your administrator area I am obliged to close the ticket and refuse to provide support. The problem you have is due to your server setup, not my software, ergo outside the scope of this support area.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!