Support

Admin Tools

#14936 WAF Exceptions

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 11 February 2013 09:15 CST

Thursday, 07 February 2013 09:55 CST

richarddenhamhill

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.9)
PHP version: (unknown)
MySQL version: (unknown)
Host: (Rochen)
Admin Tools version: (2.4.4)

Description of my issue:

Testing redshop+paypal via sandbox on site www.i-webdesigner.co.uk/jenjones

Immediately got Bad behaviour errors from AdminToolsPro so set WAF Exception com_redshop+order_detail (which worked for me on sister site www.welshquilts.com)

This stopped the Bad behaviour messages BUT the POST from Paypal was still being blocked. See Log entry:

173.0.82.126 - - [07/Feb/2013:14:19:39 +0000] "POST /jenjones/index.php?tmpl=component&option=com_redshop&view=order_detail&controller=order_detail&task=notify_payment&payment_plugin=rs_payment_paypal&Itemid=1&orderid=51 HTTP/1.0" 403 66 "-" "-"

 

Eventuall in desperation I simply UNPUBLISHED admintools system plugin.

Now I get

173.0.82.126 - - [07/Feb/2013:14:12:51 +0000] "POST /jenjones/index.php?tmpl=component&option=com_redshop&view=order_detail&controller=order_detail&task=notify_payment&payment_plugin=rs_payment_paypal&Itemid=1&orderid=50 HTTP/1.0" 303 51 "-" "-"
173.0.82.126 - - [07/Feb/2013:14:12:52 +0000] "GET /jenjones/index.php?option=com_redshop&view=order_detail&layout=receipt&Itemid=1&oid=50 HTTP/1.0" 303 45 "-" "-"
173.0.82.126 - - [07/Feb/2013:14:12:52 +0000] "GET /jenjones/index.php?option=com_redshop&view=login&Itemid=1 HTTP/1.0" 200 25808 "-" "-"

which says the paypal POST is getting through.

The fact that RedShop is not reacting to it by setting my order 'Paid' is another problem for the redshop guys.

My question is why do I need to unpublish the admintools plugin?

Is it because I'm testing in a subdirectory ??

Regards

Thursday, 07 February 2013 10:02 CST

nicholas

I need you to do a little bit of troubleshooting which will provide me with more information so that I can help you.

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log and go to the last page. The last log entry should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that I can help you.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 07 February 2013 10:20 CST

richarddenhamhill

Nicholas

Thanks for replying so quickly!

This morning - BEFORE I added the WAF exception - I was getting

173.0.82.126 ----- Bad Behaviour ----- http://i-webdesigner.co.uk/jenjones/index.php?option=com_redshop&view=order_detail&controller=order_detail&task=notify_payment&payment_plugin=rs_payment_paypal&Itemid=1&orderid=42

Then I set WAF exception to component=com_redshop, view=order_detail & ALL

Since then NO REPORTED ERRORS from admintools.

BUT in ROCHEN's raw log I see

173.0.82.126 - - [07/Feb/2013:14:19:39 +0000] "POST /jenjones/index.php?tmpl=component&option=com_redshop&view=order_detail&controller=order_detail&task=notify_payment&payment_plugin=rs_payment_paypal&Itemid=1&orderid=51 HTTP/1.0" 403 66 "-" "-"

I assume the 403 means it was blocked

If I unpublish the admintools system plugin I then get

173.0.82.126 - - [07/Feb/2013:14:12:51 +0000] "POST /jenjones/index.php?tmpl=component&option=com_redshop&view=order_detail&controller=order_detail&task=notify_payment&payment_plugin=rs_payment_paypal&Itemid=1&orderid=50 HTTP/1.0" 303 51 "-" "-"
173.0.82.126 - - [07/Feb/2013:14:12:52 +0000] "GET /jenjones/index.php?option=com_redshop&view=order_detail&layout=receipt&Itemid=1&oid=50 HTTP/1.0" 303 45 "-" "-"
173.0.82.126 - - [07/Feb/2013:14:12:52 +0000] "GET /jenjones/index.php?option=com_redshop&view=login&Itemid=1 HTTP/1.0" 200 25808 "-" "-"

I don't know what the 303 means but its the same on a sister site welshquilts.com where paypal works perfectly.

 

Does all this help ??

Thursday, 07 February 2013 10:39 CST

nicholas

If nothing is logged in Admin Tools' Security Exceptions Log it's not an Admin Tools issue. In fact, by having an exception for the entire com_redshop component you have disabled Admin Tools' protection for the entire component. It's equivalent to unpublishing the plugin. I don't know where that 403 comes from.

HTTP 303 means "See other". It's a redirection.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 07 February 2013 10:51 CST

richarddenhamhill

Thanks for your time

I just thought that by Unpublishing the AdminToolsSystemPlugin causing the 403 to become 303 was a good clue to my problem.

And my WAF exception is com_redshop AND view=order_detail AND query=(ALL)

to try to block Bad Behaviour Checks

You say:

  • When all query strings are specified for a component or view, the following WAF features are disabled: Bad Behaviour, SQLiShield, XSSShield, MUAShield, CSRFShield, RFIShield, DFIShield, UploadShield and Bad Words Filtering
  • When specific query strings are specified for a component or view, the following WAF features are disabled only for those query strings: SQLiShield, XSSShield, RFIShield, DFIShield, UploadShield and Bad Words Filtering

 

Regards

Thursday, 07 February 2013 10:57 CST

nicholas

That's correct. When you leave the Query field empty (therefore catching all query strings) Bad Behaviour –which was causing the problem– is disabled.

OK, hold it. When you said: "Then I set WAF exception to component=com_redshop, view=order_detail & ALL" did you mean that you typed ALL in the Query field? If that's what you did, you need to edit the rule and leave the Query field empty.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 07 February 2013 11:07 CST

richarddenhamhill

Nicholas

I left the Query Field blank - it just displays as (All)

 

Barry

Thursday, 07 February 2013 11:14 CST

nicholas

OK, that's correct. It has disabled Admin Tools' protection for the component.

The only two other things that I see in the request which could cause a problem are:

  • it's a POST request, but the CSRFShield is already circumvented so it can't be an issue (not to mention, it would create a log entry)
  • tmpl=component could be an issue of component is not an allowed tmpl keyword in Configure WAF. But a. by default it is an allowed keyword and b. even if it weren't it would create a log entry

There's either a security exceptions log entry or this issue can't come from Admin Tools.

I would understand it if this was a different HTTP code (e.g. a 302, I would think it's the URL Redirection feature), but it's a 403. Every time Admin Tools produces a 403 it creates a log entry.

I don't know. The information I am presented just doesn't add up.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 11 February 2013 08:11 CST

richarddenhamhill

Hi Nicholas,

You can close the ticket as, embarrasingly, it has turned out to be a set up error by us in the sandbox.

Thanks for your patience meantime. Your suggestions did help us find the problem in the end.

Kind Regards,

 

Richard

 

Monday, 11 February 2013 09:15 CST

nicholas

You're welcome, Richard! I'm glad it all came down to a reasonable explanation :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!