Support

Admin Tools

#13486 Admin Query String

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 10 September 2012 12:10 CDT

Sunday, 09 September 2012 09:44 CDT

user68137
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.6
PHP version: 5.3.14
MySQL version: (unknown)
Host: http://hamptonlibrary.org
Admin Tools version: 2.3.2

Description of my issue:


I am receiving admin query string alerts from an unlikely source. I say unlikely because the IP is my workplace firewall, I have this IP whitelisted and the building is closed today with nobody there. I would be the only one remoting in behind this firewall to access the site. Not sure what is going on with this.

Sunday, 09 September 2012 10:06 CDT

nicholas
If the IP was whitelisted you would not receive any emails. Maybe it's an IP which is close to the one you have whitelisted but not quite the same?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 09 September 2012 18:45 CDT

user68137
exact same IP

Monday, 10 September 2012 01:37 CDT

nicholas
I can't see how that's possible. If an IP is whitelisted, Admin Tools essentially deeactivates all WAF protection for that request. It will not check for admon query string and won't send an email. Moreover, since your building was closed down for the weekend, there was no way someone could actually use that IP.

I don't know. The explanation is one part spy novel and one part Jackass The Movie meets computers. It would take someone breaking into your office, connecting to your site via FTP, disable Admin Tools, log into your site, clear the whitelist, re-enable Admin Tools, log off the site and then try to log back in without supplying the secret URL parameter. It doesn't make any sense.

A more plausible explanation is that the IP in question is not your firewall. It is, in fact, the public IP of a reverse proxy in front of your server, meaning that all incoming traffic to the site seems to come from this IP. It would also require this IP address to not be whitelisted, e.g. because it was mistyped. This doesn't involve any breaking and entering, crackers doing absurd thing or anything else which would defy common sense.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 10 September 2012 06:38 CDT

user68137
The 65.254.29.50 address is my firewall. I know this because I am the network admin and built it - its not a reverse proxy. Could an open browser with the backend login screen loaded cause this? I may have left one browser open on my machine at work. I know this address is whitelisted because I can log into the backend without the need for the Administrator secret URL parameter when accessing the machine from that address.

I have also whitelisted the IP of the vulnerabilty scanner used by godaddy.com, and still get tons of security exceptions (which i would expect if not whitelisted) as its does its nightly probe/scan.

While I have you, what permissions should my configuration.php and php5.ini file have? They are currently set at 604, whereas my htaccess is 644

Finally, and perhaps i should ask this in a different ticket, but do you have a cron job for akeeba that works with godaddy shared hosting? I tried the "alternate" one in the instructions and it did not seem to work. Godaddy really, reallly suxs for hosting joomla - no support whatsoever

Monday, 10 September 2012 06:50 CDT

nicholas
It is a far cry, but it is possible that a sleeping PC woke up for some reason (network activity, a forgotten BIOS wakeup alarm, ...) and the browser would try to reload the last pages it had loaded in its tabs, including a back-end page to your site. That would cause an admin query string security exception, but only if the IP is not white-listed. That's my biggest problem in your account of the events: if an IP is whitelisted, it doesn't generate security exceptions.

I have also whitelisted the IP of the vulnerabilty scanner used by godaddy.com, and still get tons of security exceptions (which i would expect if not whitelisted) as its does its nightly probe/scan.

This is getting more weird. It's as if the whitelisting doesn't work. Or, maybe, as if the whitelisting is not enabled. Please go to Configure WAF. Have you activated the "Allow administrator access only to IPs in Whitelist" option? If that option is disabled (set to "No") then the contents of the white list are ignored and that would explain the situation.

Finally, and perhaps i should ask this in a different ticket, but do you have a cron job for akeeba that works with godaddy shared hosting? I tried the "alternate" one in the instructions and it did not seem to work. Godaddy really, reallly suxs for hosting joomla - no support whatsoever

Yes, it deserves a new ticket. In so many words, tough luck. GoDaddy is absolutely a disaster if you want to host anything except a basic site which will receive no updates, has no features and you don't mind having it hacked for fun. Their ridiculously overpriced, abysmal servers are only second to their useless "support" (i.e. script reading people in a far off place who have no idea about hosting or what you're talking about). The only scheduled backup method which will work is using a third party service like webcron.org to schedule the launch of a front-end backup.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 10 September 2012 08:41 CDT

user68137
I did not have "Allow administrator access only to IPs in Whitelist" checked, yet for some reason the whitelist functions as far as the Administrator secret URL parameter is concerned - don't seem to need the ?xxxxx from addresses listed in the whitelist.

I think i left opera open on my machine at work behind 65.254.29.50 loaded with the backend admin login screen - perhaps the safari browser periodically refreshed the page, causing the exceptions? the only thing that possibly could explain the ghost.




Monday, 10 September 2012 09:00 CDT

nicholas
If the "Allow administrator access only to IPs in Whitelist" option is not checked then the entries in the whitelist are ignored. This means that you do need to use the ?xxxxx from everywhere, including addresses listed in the whitelist (I double-checked). Perhaps you get a cached page or the browser auto-completes the admin query string?

I think i left opera open on my machine at work behind 65.254.29.50 loaded with the backend admin login screen - perhaps the safari browser periodically refreshed the page, causing the exceptions? the only thing that possibly could explain the ghost.

This would be a plausible explanation.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 10 September 2012 11:25 CDT

user68137
"This means that you do need to use the ?xxxxx from everywhere, including addresses listed in the whitelist (I double-checked). Perhaps you get a cached page or the browser auto-completes the admin query string?"


I am not sure why, but the whitelist appears to function for the Administrator secret URL parameter even though the Allow administrator access only to IPs remains unchecked. I have cleared the cache and cookies in multiple browsers, as well as the cache on the joomla backend, and do not need the ?xxxxxx when connecting from a whitelisted IP. When I connect over my wifi or via my smartphone, which are not in the whitelist, I do need to supply the ?xxxxxx parameter in order to get access to the backend login.

I know this is not supposed to be, but this is what I am experiencing.

Monday, 10 September 2012 11:31 CDT

nicholas
That's strange because you describe the same setup I tried here and my results are according to my expectations: if the option is not enabled the whitelisted IPs are ignored. Besides, if the IP of the internal firewall was whitelisted you wouldn't be receiving the emails which prompted you to contact me in the first place. I don't know how to explain this.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 10 September 2012 11:42 CDT

user68137
Also, I whitelisted the IPs of the client who actually owns the website, and just confirmed that they too are able to get to the admin login without the ?xxxxxx token.

Is there a reason why when you enter IP's in the whitelist they do not immediately show up in the list (although you can successfully search for them) I find I have to log out and then re-login to actually see the IP addresses and description on the WL.

Actually, I think this is a feature more than a bug - and it does work as I originally expected. I did not think I had to check the the "Allow administrator access only to Whitelisted IPs" in order for the whitelist to work for other areas of this great component. I thought limiting backend access to specific whitelisted IPs was just an ADDITONAL, higher security feature.

Monday, 10 September 2012 11:48 CDT

nicholas
Is there a reason why when you enter IP's in the whitelist they do not immediately show up in the list (although you can successfully search for them) I find I have to log out and then re-login to actually see the IP addresses and description on the WL.

There is no reason for this to happen and I can't replicate it here. Is your site behind a CDN, maybe?
Actually, I think this is a feature more than a bug - and it does work as I originally expected.

Well, if it works differently than I meant it to do then it's a bug. That's the definition of a bug: something which works differently than the developer designed it or does not work at all. I will have to take a look into it.
I did not think I had to check the the "Allow administrator access only to Whitelisted IPs" in order for the whitelist to work for other areas of this great component.

This was done in order to save one database query per page load for the majority of sites which do not use IP whitelisting.
I thought limiting backend access to specific whitelisted IPs was just an ADDITONAL, higher security feature.

You nailed it. It's an additional (optional) feature meant for higher security. Since it's optional, the extra query incurred when I didn't have an option to turn it on was a burden for the majority sites which didn't need this feature :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 10 September 2012 11:54 CDT

user68137
Not sure what you mean by a CDN -- Content Delivery network? Not that I am aware of. I would be happy to provide you access to the backend if you would like to see the behavior for yourself. I there a way I can give you the info privately?

Monday, 10 September 2012 12:10 CDT

nicholas
Yes, I was thinking about a CDN. I don't think there is a need for login information. I believe the problem is the way some session variables are being handled. I'll try improving that in the next version.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!