Support

Admin Tools

#12538 WAF not saving, Get Forbidden message

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 04 June 2012 16:10 CDT

Saturday, 02 June 2012 13:43 CDT

user64118
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes, found similar but not the same issues.
Have I read the documentation before posting (which pages?)? Yes - PDF doc
Joomla! version: (2.5.4)
PHP version: (5.3.13)
MySQL version: (5.1.62)
Host: (Rochen)
Admin Tools version: (2.2.6)

Description of my issue:

Every time I click on Save on the Configure WAF screen I get the following on a blank error page with the url pointing to /administrator/index.php.

--ERROR MESSAGE START--
Forbidden

You don't have permission to access /administrator/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

--ERROR MESSAGE END--

I have set up a Administrator secret URL parameter which works, so don't know if the above URL is incorrect.

I have this same problem on 3 different sites on which I installed Admin Tools. I can't work out what is triggering the issue; File permission, .htaccess? Been looking at this for over two days, my apologies if I can't see the wood for the trees, but am stumped!

Thanks in advance.

Sunday, 03 June 2012 02:09 CDT

nicholas
This should only happen when your host's mod_security2 (a web server-level filter/firewall) blocks the request. This usually happens when you enter a secret URL parameter which contains characters other than lowercase unaccented latin letters (a-z) and numbers (0-9). Is it possible to request your host to tell you why that specific request was disabled?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 03 June 2012 11:42 CDT

user64118
Thanks for the quick response Nicholas. I have raised the issue with the host and subsequently noted Pam's similar issues (#12541).

I am pursuing this with them as they assure me that they have updated their systems. Am hoping to get this to an amicable and working conclusion but it may be tomorrow before I hear back.

Sunday, 03 June 2012 13:24 CDT

nicholas
Yes, please let me know of their reply. I am very curious. My blog is hosted on Rochen, on their cheapest shared hosting plan on a UK server. I tried earlier today saving the WAF configuration, no problem whatsoever. Pitfall: my secret key and other settings only contain regular characters (a-z, 0-9) except the IP lookup URL. But even as such, I could not replicate their problem. I am afraid that they've botched the mod_security rules on the upgrades they are rolling out, making the rules too agressive and blocking way too many requests :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 04 June 2012 04:57 CDT

user64118
Hi Nicholas,

I've had a comprehensive and reassuring response from Rochen in which they highlight how their security is up to date, managed and monitored and cover the many points that you have made. On the password, their view is that they have it configured is a security benefit.

I believe that they will be contacting you directly regarding this. I am not an expert in this field but am hoping that once you have discussed your concerns that you and Rochen can give me some idea of the benefits of WAF over Rochen's own security and if it does provide additional security, agree on a fix to the password issue that is secure and not a compromise.

Having purchased and briefly used Admin Tools, I like the product, but I can't use it as it is and now I don't know if gives me any additional security.

Hopefully you and Rochen can come to an amicable conclusion, even if you have to agree to disagree on some points. I will appreciate your advice on this once you have had the chance to discuss this with them so that I can take an informed view on whether to continue using Admin Tools.

Edited by user64118 on 2012-06-04 04:59 CDT

Monday, 04 June 2012 05:00 CDT

nicholas
So, basically, the problem is the back-end secret word. In any case, the documentation already tells you that you should not use any other characters except a-z and 0-9. The reason is that due to the way servers and browsers work other characters may get corrupted/filtered/modified in the process and not even make it into Admin Tools code. Have you tried such a secret word?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 04 June 2012 05:30 CDT

user64118
I don't know if it is. To be clear, are we referring just to WAF Administrator secret URL parameter?

If so, on one site I do not have a secret word set, on the others I have only used alphanumeric characters as suggested. Something like the one below is what I am using
/administrator/?brilho68

However for my own user login I do use all sorts of characters. I have just double checked the site with no password and still got the error.

Again, I only seem to get the error when saving WAF settings. The odd thing is that I could save them to begin with, but now I can't. I don't know if changing security or .htaccess affected it.

I'll set some time aside shortly and will build a blank site to see if I can see what triggers it.

Monday, 04 June 2012 05:34 CDT

nicholas
yes, that was what I was talking about. Strange!! I really have to take a look at this myself. My shared hosting account at Rochen doesn't display this behaviour. The only way to figure out what's going on is having access to an affected site, in this case yours.

I have made this ticket private so that only you and me can see the information posted here.

Please provide me with the following information:
  1. The URL to your site's administrator login page
  2. Super Administrator username and password
  3. FTP connection information

Please allow up to 24 hours for me to log in to your site and debug this issue. When I'm done I will post back. Once the issue is fixed, you can revoke my access e.g. by changing the Super Administrator and FTP passwords.

As always, I am very careful when working on live sites. I always keep a backup copy of anything and everything I modify so that I can make sure I won't cause any problems with your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 04 June 2012 15:13 CDT

user64118
Hi Nicholas,

Thanks for the offer to look at a site. Being inquisitive I set up a clean Joomla install to see at what point the error occurs.

Following install on the live server, I clicked on WAF and save settings (did not change any settings), it saved fine.

Clicked on Fix Permissions, again opened WAF and Saved without any changes, and Bingo, I got the problem!

I suspect that this may be it. May I leave you to see if you can identify what the Fix Permissions issue is, this is still quite new to me.

Also, you will probably do this anyway, but if you can fix the above, can you also just check if .htaccess is also OK and does not trigger the same problem.

I am hoping this isolates the problem. Here is the site information as requested.

Moderator notice: Connection information redacted before making the ticket public again

Hope it's an easy fix! Thanks again.
Rob
Edited by nicholas on 2012-06-04 15:19 CDT

Monday, 04 June 2012 15:24 CDT

nicholas
Hi Rob,

Thank you for the access to your site. I can now see what the problem is. The real source of problem is the IP Lookup Service field. Normally it reads http://ip-lookup.net/index.php?ip={ip}. However Rochen's mod_security settings mistakenly pick it up as a remote file inclusion attack and cut the request. If you skip the http:// part it works.

The temporary workaround is to clear that setting before clicking on Save or Save & Close. Admin Tools will automatically reset it to its default setting on save. I am going to create a workaround, though. I will add a drop down to select if it's an http:// or an https:// URL and allow you to enter the rest of the URL in the field. A very lame workaround but should fix the problems with Rochen's way too strict mod_security2 settings.

PS: I redacted your connection information and made the ticket public so that it can show up in future searches.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 04 June 2012 16:09 CDT

user64118
Thanks Nicholas, that's great, I have tested this on my other sites and it has fixed it.

Without wishing to go off-topic, I have a problem with one site in that if I apply Fix Permissions and then click on a link on the public site, that now triggers an error 500 page (!). If I revert to Rochen's file permission fix (from their cpanel) then the site is OK again. I am not getting this problem on other sites and I have not been able to replicate it on the test site either. I will look at this again tomorrow and if I can replicate the problem on the test site I will let you know. If this remains an issue shall I raise this as a separate ticket so that this one can be closed?



Monday, 04 June 2012 16:10 CDT

nicholas
Remember that Fix Permissions does exactly what you tell it to do. If you gave a PHP file or a directory 0775 or 0777 permissions then you must expect to get a 500 Internal Server Error when using your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!