Support

Admin Tools

#14015 Security Exception for Com_installer update

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 06 November 2012 06:05 CST

Tuesday, 06 November 2012 04:35 CST

user69980
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.7)
PHP version: (5.3.6)
MySQL version: (5.1.65 )
Host: (vodien.com)
Admin Tools version: (2.4.1 latest)

Description of my issue:

Problem 1)
I constantly see this "admin query string" in the security exception log whenever I navigate around in the backend.
http://mydomain.com/administrator/index.php?option=com_installer&view=update&task=update.ajax

I believe this is caused by the com_installer attempting to look for updates, which should be a legit request thus I don't understand why it's appearing as a security exception. I have tried to create a WAF exception rule for com_installer and view update but the log still continues to display that admin query string from my IP address.

Since the site is offline and I'm the only one accessing the website, I'm pretty sure this is a bug especially when I'm able to reproduce it by going to Extension Manager->Update->Find Updates.

Problem 2)
The time shown in the log seems to be wrong. In Joomla I have set my timezone to Singapore but the time for the events in the security exception log seems to show the US time instead. For example, it's 6pm now but the log says 10am.

Tuesday, 06 November 2012 04:41 CST

user69980
Hmm, I was mistaken about being able to reproduce problem 1 by going to Extension Manager->Update->Find Updates.

The exact reproduction step should be simply by going back to Control Panel in the backend where the Joomla extension update quick icon would trigger the security exception. Everytime I go back to the Control Panel, this event is logged.
Edited by user69980 on 2012-11-06 04:46 CST

Tuesday, 06 November 2012 04:51 CST

nicholas
Problem 2 is not a problem; the date and time is shown as GMT (not as US time). This is by design.

Problem 1 is a little strange. I know what causes it, though. The admin query string security exception means that there was an unauthorised access to the backend without a secret URL admin query string. Admin Tools stores the validation of the secret URL admin query string in the session. However Joomla! has a long standing bug with its session management, introduced in Joomla! 1.6 and reported by yours truly and others 2 years ago. The problem is that the session storage space is very limited (64Kb), overflows, gets reset and results in various strange issues. In your case, a security exception. Other users without Admin Tools get even more strange stuff, like the menu disappearing, or ending up in a Control Panel page where everything is missing except the Log Out link. Unfortunately there's not much I can do to help with that :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 06 November 2012 05:05 CST

user69980
Ouch... that's kinda sad. But after reading your reply, I did some testing and realize that it has nothing to do with the secret key. I could be wrong though, since I'm still abit confused why sometimes the secret key disappears from the url.

But if I were to disable HTTPS from the backend and use simply HTTP, there is no security exception and the quick icon will show me that "All Extensions are up to date". But if I were to use HTTPS, it will trigger a security exception and then the quick icon will show me "Unknown Extensions Update Status".

If I disable the quick icon module for Joomla, then no security exception will be logged.

Tuesday, 06 November 2012 05:18 CST

nicholas
Strange... It's as if the icon uses the non-HTTPS URL for its AJAX request. The only reason I can think of is that you have a $live_site line in your configuration.php file which uses an http:// URL.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 06 November 2012 06:02 CST

user69980
Ah, good find there. Yes, I had a $live_site that's using non-https in the configuration. I removed the value and now there's no more security exception being logged even when in HTTPS mode.

Thanks for the help, problem is resolved I guess xD.

Tuesday, 06 November 2012 06:05 CST

nicholas
Yup, that's it!

So, it wasn't a session issue after all. When I read your original ticket I thought you were being kicked out of admin. That would be a session issue. What you were actually describing was the disparity between the real admin URL and the one in live_site, an issue which is impossible to debug unless you understand how Joomla! generates URLs :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!