Support

Admin Tools

#15127 Security exception emails

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 26 February 2013 10:18 CST

Friday, 22 February 2013 23:02 CST

user71798

Joomla! version: (2.5.9)
PHP version: (5.3)
MySQL version: (unknown)
Host: (arvixe)
Admin Tools version: (2.4.4)

Description of my issue:

 

I set up the security exception email and I have been receiving emails all day.  The majority are template= in URL by I have had a fair share of Admin Query String.

Could you please explain what this means.  I read through the support pages and saw some stuff about joomla mail but I don't understand it.  I'd like to know that I have this stuff setup the best way I know how.  I have added these ip addresses to my blacklist but they just keep coming in.  Please let me know what I can do.

Thanks,

Kurt

Friday, 22 February 2013 23:16 CST

user71798

Blacklist question.  I added the following IP 193.169.87.206  to my blacklist but later in the evening I got another security exception email.  I thought if I added it to my blacklist it would ban them from my site.  

Could you explain this as well as my previous question.

 

Thanks!

K.

 

Saturday, 23 February 2013 03:32 CST

nicholas

The template= refers to "Block template=foo site template switch" in the Configure WAF page. The exact conditions which trigger it are mentioned in the documentation.

The "Admin Query String" refers to the "Administrator secret URL parameter" in the Configure WAF page. It means that someone tried to access your administrator login page without supplying the correct secret URL parameter.

Regarding the blacklist, you have to set the "Disallow site access to IPs in Blacklist" option in the Configure WAF page to Yes, otherwise the blacklist is completely ignored.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 23 February 2013 07:12 CST

user71798

I have read this info in the doc

https://www.akeebabackup.com/documentation/admin-tools/web-application-firewall.html#waf-configure

This is how I have the site currently configured

Block tmpl=foo system template switch - Yes
List of allowed tmpl= keywords - component,system,raw
Block template=foo site template switch - Yes
Allow site templates - No

I read this ticket which talks about the send article by mail function causing the issue, but unlike this msg most of the ip addresses that cause this warning are from outside my country and are ip addresses I cannout identify.

https://www.akeebabackup.com/support/admin-tools/12656-security-message-template--in-url.html

Do I have the tool configured correctly?

Am I to understand that these emails mean that my site and most sites in general are just constantly scanned for vunerability? Or am I still not understanding what these emails mean.

Thanks!

Kurt

Saturday, 23 February 2013 08:37 CST

nicholas

I would have to see the exact Target URL as displayed in Admin Tools' security exceptions log to be mosst precise. I think that you get these exceptions from the send article by email links on your articles which can be worked around by setting "Allow site templates" to Yes.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 23 February 2013 09:35 CST

user71798

Here is an example of one of the log target urls.  I've edited the name of our site before I posted.

They all seem to be using the mailto component.  The link string is always different.

http://site.org/component/mailto/?link=15481df192e89f051e6fb52e62d26098502f0287&template=zion&tmpl=component

Forgive my ignorance but, but does this mean people are manipulating the site to send email or atleast attempting to?

Per your request I have changes the "Allow site templates" from No to Yes.

Saturday, 23 February 2013 09:41 CST

nicholas

That's exactly the kind of URL I guessed. As per https://www.akeebabackup.com/documentation/admin-tools/web-application-firewall.html#waf-configure under "Allow site templates":

several core components –including com_mailto, powering the "send this page by email" icon in your articles– have to append template=yourDefaultTemplateName to the URL. This would cause your site to throw security exceptions whenever a legitimate visitor would, for example, try to send an article by email to a friend of his.

That's what is going on. Just enable the "Allow site templates" option.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 23 February 2013 10:03 CST

user71798

Thanks for all the good info!

Saturday, 23 February 2013 10:09 CST

nicholas

You're welcome, Kurt!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 26 February 2013 07:23 CST

user71798

I have "Disallow site access to IPs in Blacklist" set to "Yes" and I have had the following IP 121.83.221.74 in my blacklist but my log show the following repeated all through the night - 2013-02-26 00:53:15    121.83.221.74 Login failure.

If I blacklisted that IP, shouldn't that block that user from even seeing the site?

 

K.

Tuesday, 26 February 2013 07:47 CST

nicholas

Make sure that you have done all of the following:

PHP is 5.2.7 or later (5.3.1 or later for Admin Tools 2.5.0 and later)

You have enabled the System - Admin Tools Plugin and its access is set to Public

You have activated blacklisting in the Configure WAF page of Admin Tools (by default it is disabled)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 26 February 2013 09:49 CST

user71798

I am running php 5.3.15.

As I stated in my prior  email I do have  "Disallow site access to IPs in Blacklist" set to "Yes"

I checked my System - Admin Tools Plugin.  It is enabled.

This morning I updated to Admin Tools to 2.5.1

I'll keep an eye on it and the next time I black list an IP I'll check to make sure it's working.

Until then,

Thanks!

K.

Tuesday, 26 February 2013 10:18 CST

nicholas

 

I also mentioned one more thing:

You have enabled the System - Admin Tools Plugin and its access is set to Public

I had this problem in my own site after I tinkered with the plugin settings. I stupidly set its access to Guest instead of Public and the plugin would, of course, not load any more. Is it possible that this is what happens?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!