Support

Admin Tools

#18728 IP Security Exception

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 13 January 2014 14:45 CST

Tuesday, 07 January 2014 18:47 CST

user60557
Nich,

I have a long-time friend who is causing a site havoc, but not the other sites I maintain. His IP is 162.231.17.1 and the problem happens both in FF and IE. He can access the site but in AT I get a "tmpl= in URL" error every couple of seconds.

Any thoughts?

Tuesday, 07 January 2014 22:59 CST

dlb
Is your friend using an older browser, like IE6? Some templates include a browser check and will try to redirect IE6 to an upgrade page. This can trigger a tmpl exception.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 08 January 2014 06:46 CST

user60557
Morning Dale,

Nope, nice shot across the bows. D He has the latest, greatest FF and it is either the latest IE or one back. And yes, my template has the < IE7 browser check as a part of it. That would not allow him access to the site. He has access. It is only in the back end when I view AT Security Exceptions Log that the problem arises.

Wednesday, 08 January 2014 08:09 CST

dlb
OK Wayne, I'll see if I can rustle up a temp= expert. :-)


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 08 January 2014 08:14 CST

user60557
Thank you and if need be I'll set up access to the back end.

Wednesday, 08 January 2014 09:14 CST

nicholas
I believe that your user is trying to use the send by email feature on your site. No problem, there's an easy workaround. Go to Admin Tools, Web Application Firewall, Configure WAF and check the "Allow site templates" options. Click on Save & Close.

Next up, remove your user's IP from both the "Automatic IP ban administration" and "Security exceptions log" pages.

You can then email your user and tell them to retry. They should have no problem any more.

FYI: The exact inner working of this seemingly magical fix are described in detail in our documentation. Search for "Allow site templates" in the Configuration section of Web Application Firewall.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 08 January 2014 12:02 CST

user60557
Hey Nich,

Hope the year is going okay for you and yours.

As for my problem, all he is doing is accessing the site, nothing else. As for your suggestion, I already have the "Allow Site Templates" set to Yes. Honest!

I just did some further testing with my friend. After the first trouble when I got some 300+ errors with his IP address we finally got him to the site successfully and he bookmarked the page. So, just now I sent him the e-mail that made its way to hundreds of people. You can view the e-mail here and it is the last link. From his bookmark, no problem. From the e-mail link, problem.

When he, and only he, clicks into the link via the e-mail it causes my Security Exceptions trigger. The item linked to has been viewed now over 100 times with only him clicking into the link causing the trigger.

Really, really odd huh!

Thursday, 09 January 2014 01:30 CST

nicholas
It would really help if he could paste the bookmarked URL and the URL he sees on his browser when visiting the one from the email. I am not sure if he has malware on his computer or if the URL in the email is broken (the text only version of the email did send me to an incorrect link as the clickable URL was cut off).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 09 January 2014 05:49 CST

user60557
Yeah, I know the Rootsweb posting was truncated, with part of it being on the following line. Unfortunately I have no control over that.

When I sent that posting out I also sent him the same e-mail with a link. In other words just like a normal e-mail between two people. He was using that e-mail, and not the online community posting I should you. Send me an e-mail and i will send that e-mail to you.

The error he gets is the standard 403 error when he clicks into the link in the e-mail. If he goes directly to via typing the URL, no problem. And as I said, he is the only person which made me wonder about a virus on his system. He run Norton 360 just like i do and it reports nothing.

And Good Morning.

Thursday, 09 January 2014 06:13 CST

nicholas
The only way to trigger the template= security exception is when the URL contains a &template=something URL parameter or when doing a POST request with a template parameter. Since he's just trying to click on a URL, he's not doing a POST. So something on his computer is adding that template=something in the URL. If the URL you have him doesn't include it and there's no redirection involved we have the following possibilities:
  • Malware
  • A plugin (usually SEO / SEF stuff) screwing your URLs


You said you ruled out the first possibility.

The second possibility is immediately ruled out as it would affect everyone.

So lest we believe in supernatural phenomena we have to conclude that Norton 360, being the crap it is, has missed some malware. If you don't believe me: http://chart.av-comparatives.org/awards.php?year=2013 Norton 360 is tested as "Standard" (one star), whereas reputable antivirus software like ESET NOD32 and Kaspersky Antivirus are rated Advanced+ (exceeding the three star rating).

PS: Regarding the email, I'm not posting my email on a public ticket. Just send me a request through the Contact Us page (use the generic contact option) and I'll reply back to you with my email address. It's actually very easy to guess, you'll see :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 09 January 2014 07:45 CST

user60557
I'll do it via the Contact Us link. And yeah, I probably have your e-mail addy around here somewhere from a couple of years ago.

As for my friend I think 'tis something with Juno which is his IP company. I recall years ago, when i was a paid subscriber to AOL, that they used their own version of IE which on occasion caused heartaches. He logs into his e-mail via a browser window, and I suspect his server company is causing the problem.

I know he has problems receiving e-mails from me via a browser session. Yest if he uses the desktop version, accessing the same e-mail, he haws no problem. And of course Juno, being the piece of crap it is, thinks they are God, or Allah, Almighty.

I just called my friend and we're doing some more testing. Hold your breath. . . D

Thursday, 09 January 2014 09:06 CST

nicholas
Hello Wayne,

Thank you for the email!

The hot link sends me to http://ashland.brethrenarchives.com/ which does throw a 403. However, this URL is not the same as the one in the mailing list. The one in the mailing list is at the domain name http://books.brethrenarchives.com/ Did you notice the different subdomain?

For what it's worth, I get consistently blocked from ashland.brethrenarchives.com. I suspect you have GeoIP blocking enabled. BINGO! I just used a free US-based proxy server (proxybrowsing.net) and I can access the site.

Quite apparently your one user with a problem has an IP address which is mistakenly reported by MaxMind as not in the US of A. Remember all those tickets where I'm saying that GeoIP blocking is a terrible idea? That's why :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 09 January 2014 09:39 CST

user60557
Yeah GeoIP blocking might be a terrible idea, but it sure keeps hackers out of my stuff. There is no reason someone in Russia or China, and a multitude of other places that try to get in, need to be viewing my content.

That being said, and for that one person only, all my sites have Geo blocking in place. He can access all the other sites. And they are all the same countries being blocked. When I click on his IP in the Security Exceptions Log I get <162-231-17-1.lightspeed.clmboh.sbcglobal.net>. I wonder if it might be that his server is in some country I have blocked??? Even though it reports the United States.

The e-mail I forwarded has three "hot links" in the body. When I click on or hover over each one (web site, domain, Research blog) from within the e-mail they go to the correct web site or show the correct address. The same goes for the German Baptist Brethren Books signature link.

This one has me stumped and I'm almost willing to drop it and tell him to go pound sand. Even though he has been a friend and benefactor for years. He's not screaming about it. D

Thursday, 09 January 2014 11:16 CST

nicholas
Just try disabling GeoIP and ask him to click the email link again. I told you exactly how I verified that GeoIP was kicking me out.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 January 2014 11:25 CST

user60557
Hey Nich,

Let me ask this once again just so I can ease my mind. I want to block visits from counties I know for a fact have no interest in my content. So I use GeoIP blocking. This appears to be what you are inferring is causing the problem and on the surface I would agree.

However, I just went in and unchecked all the countries. That same person I have been referring to then clicked into the link. Guess what? AT is showing his IP as a "tmpl= in url" error; one every four seconds or so. But if he clicks his bookmarked page, the site opens just fine.

I would say that it is more important to me to prevent visits by countries I don't want in. Moving on...

I found my answer on your site here, and it resolved the issue. Apparently my friend's service provider, or his e-mail server, adds some mysterious code to the URL. Adding "unsupported" to the "List of allowed tmpl= keywords" resolved the issue. Now to set up GeoIP blocking again.

Thank you kindly for all your support. Now to scare up my next year's subscription fee. D

Monday, 13 January 2014 12:13 CST

nicholas
I was probably thrown off by the GeoIP error as it was the only reason I was getting blocked. But, yes, if there is a tmpl=unsupported then yes, they will get blocked. However, it's not added by their email client but by your template. Namely, this is what happens when they use a 13-year old evil beast that refuses to die the fiery death it deserves, even though its own maker wishes it to. Can you guess the name of the beast? It does contain the evil number 6. However, it's not that beast. It's Internet Explorer 6.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 January 2014 13:23 CST

user60557
Yeah, I hear you and wish I had a bomb to blow that sucker up. Thing is though that he had the problem no matter the browser, FF or IE, and he is up to date.

The one I just ran into, and it is not Akeeba, is that if I use bit.ly to shorten a long URL, and then use that shortened URL, I get the dreaded "You're using IE7 you moron!" error." And I was using FF 26.

Monday, 13 January 2014 14:45 CST

nicholas
I am wondering why. Maybe the template uses some strange code to do the redirection the the URL with the "unsupported" tmpl parameter. In order to avoid this in the future you can add unsupported in the "List of allowed tmpl keywords" in the Configure WAF page.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!