Support

Admin Tools

#11680 Reason: tmpl= in URL when using IE6

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 23 March 2012 13:56 CDT

Thursday, 22 March 2012 18:55 CDT

user55627
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? YES
Have I read the documentation before posting (which pages?)? yes
Joomla! version: (unknown) 2.53
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: (unknown) latest

Description of my issue:

I seem to be getting a lot of "Reason: tmpl= in URL" emails. I've found that whenever my site is loaded with an IE6 browswer, this happens.

Why?

Thursday, 22 March 2012 23:18 CDT

nicholas
This only occurs when there is a tmpl=something in the URL, as per the documentation:
One of the lesser known Joomla! features are its system templates. Whenever an error occurs or you put your site offline, Joomla! loads the respective system template. Passing the name of the template in the URL by appending, say, ?tmpl=offline allows you to test those templates without having to actually produce an error or put your site off-line. For a live example, have fun with http://www.joomla.org/?tmpl=offline. Enabling this option will turn off this hidden Joomla! feature. Do note that tmpl=system and tmpl=component must be permitted (see next option), as they are required by some extensions to work.


The browser used to access the site is irrelevant. Maybe this happens because a wannabe hacker is pretending to be using IE6?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 23 March 2012 06:35 CDT

user55627
OK, thanks for the explanation.

It would be helpful for me, though, to see the query string used when an exception email is sent. Would that be possible to add?

Reason:
QUERY_STRING :
option=com_artist&idgalery=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsEleCt%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2C9%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--

Friday, 23 March 2012 08:50 CDT

nicholas
This thing looks like an attack to your site. I don't think you should allow that kind of stuff through Admin Tools, unless you really want your site to get hacked.

PS: The full details of an attack are always available in the log. The email is there just to give you a heads up and prompt you to take a look at the log.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 23 March 2012 09:32 CDT

user55627
OK, understood.

Regarding your P.S... I manage TONS of sites and I get these exceptions regularly. If I had to log in to each site to see the query strings, it would take forever. So, my suggestion is a feature request. Putting as much info on the email makes the product that much better and that much helpful to folks like me.

Just my 2 cents.

Friday, 23 March 2012 10:32 CDT

nicholas
I can also imagine the possibility of the URL query string triggering a bug in your mail client, causing it to run unsafe Javascript, which will end up getting your PC hacked. When the URL is shown in the backend of the component, it is properly escaped so that this won't happen with your browser. Unfortunately, it can't be escaped when emailed. Therefore I'd rather not implement that feature for your own safety.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 23 March 2012 11:08 CDT

user55627
Here's is a dump that I get from the program I used Prior to Admintools. I don't need this much info... and I don't need the entire URL string... just what follows the domain:

** Union Select [GET:id] => -1/**/uNiOn/**/sELeCt/**/0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962/**/from/**/jos_users--
** Table name in url [GET:id] => -1 -- 0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962 from jos_users--
** Union Select [REQUEST:id] => -1/**/uNiOn/**/sELeCt/**/0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962/**/from/**/jos_users--
** Table name in url [REQUEST:id] => -1 -- 0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962 from jos_users--

**PAGE / SERVER INFO

*REMOTE_ADDR :
173.xxx.xxx.40

*HTTP_USER_AGENT :
Mozilla/5.2 (Windows; U; Windows NT 5.2; en-EN) Gecko/20080919 Firefox/3.5.6

*REQUEST_METHOD :
GET

*QUERY_STRING :
option=com_press&task=view_details&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users--

** SUPERGLOBALS DUMP (sanitized)

*$_GET DUMP
 -[option] => com_press
 -[task] => view_details
 -[id] => -1 -- 0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962 from -- users--

*$_POST DUMP

*$_COOKIE DUMP

*$_REQUEST DUMP
 -[option] => com_press
 -[task] => view_details
 -[id] => -1 -- 0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962,0x33633273366962 from -- users--

Friday, 23 March 2012 11:09 CDT

nicholas
I stand by me previous remark.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 23 March 2012 11:16 CDT

user55627
So you believe that this unlinked text will cause a bug or unsafe javascript on an email client?

*QUERY_STRING :
option=com_press&task=view_details&id=-1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users--


Friday, 23 March 2012 12:43 CDT

user55627
I think I found the problem regarding IE6. Rockettheme templates (and others) have a config that can be set that redirect users to an IE6 is not supported" splash screen. When that happens, it adds this to the end of the URL: http://www.mysite.com/?tmpl=unsupported

I think that's why I"m getting all of these errors. I'm assuming that adding "unsupported" to the allowable list should resolve this issue.

Friday, 23 March 2012 13:56 CDT

nicholas
Well, that particular URL would not cause a problem but, say, all URLs blocked by XSSShield have the potential to trigger such an issue. Maybe I'm being a little too paranoid, but I'd rather be safe than sorry.

Regarding the IE6 redirection, yes, adding that to the list of allowed tmpl keywords will solve it. This is exactly why I added that feature :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!