Support

Admin Tools

#12556 security exception CSRF Shield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 05 June 2012 01:27 CDT

Monday, 04 June 2012 18:29 CDT

user61845
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: 2.5.3
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: 2.2.5

Description of my issue:

Hi Guys,

I am new to this and have successfully set up Admin tools pro to my website.

There are always emails which are security errors, with the reason being: CSRF Shield.

It provides an ip address, and every time i view them they are from different countries?

I want to confirm if they are trying to access the admin page? what does this reason mean??

Do i blacklist these ip addresses??

Thankyou very much!!
Edited by user61845 on 2012-06-04 18:39 CDT

Tuesday, 05 June 2012 01:27 CDT

nicholas
The CSRFShield indicates that someone tried to submit a form but out software thought he was a spammer or hacker. This could be a genuine threat, a legitimate user with a misbehaving browser or a false positive. I would suggest taking a look at the Referrer shown in the emails and in Admin Tools, Web Application Firewall, Security Exceptions Log.

If it's always the same referrer, different IP and the timestamps of the records are very close together (seconds apart) then it's probably an attack. If it's always the same referrer but the timestamps are several minutes or hours apart we have a lot of false positives. In that case try setting the CSRFShield option in the Configure WAF page to Basic or, if it's already set to Basic, to None. If you see different IPs, different referrers and timestamps scattered throughout the day just ignore them. Most likely they are misbehaving browsers throwing false positives or some not very serious spam attempts.

Which brings me to the last leg of your question. If you want to know if someone is trying to break into your administrator just take a look at the referrer. If it's http://www.example.com/administrator or http://www.example.com/administrator/index.php (where www.example.com is the domain name of your site) then someone tries to do that. As long as you have set up an administrator secret URL parameter, treat failed logins as security exceptions and automatic IP banning in the Configure WAF page you are very safe from this kind of attacks.

All that said, I am not so much worried about the attacks coming from the outside world. Since you are most likely using a shared server I am more concerned about under-the-radar attacks. In the typical shared host your files are owned by the same user your web server uses to run under. As a result if an attacker compromises a different site on the same server (even one you have nothing to do with) they can then write to your site's files and hack it. The only way to protect yourself is to have all files owned by the FTP user, enable the FTP options in Joomla! (which is the lesser of two evils, but that's another discussion) and have sensible permissions (0755 for folders, 0644 for files). Ideally you'd need a host with suPHP, mod_itk or mod_fpm which would allow your site to run completely isolated from the others.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!