Support

Admin Tools

#21285 Cross Site Scripting Block - Virtuemart

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 22 November 2014 17:20 CST

Wednesday, 22 October 2014 06:38 CDT

itbsltd
 Hi,

I have a 2.5.27 site running Virtuemart and since updating the AdminTools along with Joomla recently it has caused issues with adding items to the cart... Obviously over the past month we have had multiple Joomla and Akeeba updates along with the VM patch for the user.php file but in the lastest version of AdminTools there is a bug...

Everything was fine until today when I updated to 3.3.1 of AdminTools

I found the add to cart button stopped working then I was finally blocked from accessing the site

I decided to try version 3.3.0, anyway to cut a long story short what I figured out was.

If the Cross Site Scripting block (XSSShield) is switched on in the newer versions of AdminTools then the add to cart button stops working, the only way it will work with it switched on is if you add your IP address to the Never Block these IP section on the firewall and in the whitelist.

Obviously no good for everyday customers so the new code for this part of Admin Tools Cross Site Scripting block (XSSShield) has an error in the fact VM cart stops working. Are you aware of this and is there a fix.

At present for the site to work I have left this option switched off..

Matt

Wednesday, 22 October 2014 07:10 CDT

tampe125
Hello Matthew,

can you please post here the log entry showing the blocked url?
As documented in the manual, you can create a WAF exception for a specific component/view/parameter.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 23 October 2014 09:00 CDT

itbsltd
Hi,

Many thanks for the info and yes that fixed the issue however, I am unable to work out what I need to add into the View and Parameter parts for this to work...

As mentioned I am using Virtuemart and I have the Cart Popup modal on which pops up when you click the add to cart button..

If this is switched off then there is no problem, the issue is that this pop up does not have a View and I think it is blocking a certain Java Script file.

This cart pop up uses Fancybox which is located in /com_virtuemart/assets/js

It is not in /com_virtuemart/view/

Therefore how do I create an exemption for this type of file without unblocking the whole of Virtuemart?

Thanks

Thursday, 23 October 2014 09:10 CDT

nicholas
The location of the Javascript files is completely irrelevant to creating a WAF exception. The WAF exception makes a specific component, view or task (or combination thereof) be exempt from the security filters of Admin Tools. This is something done on the PHP side of things. Security is NEVER implemented in Javascript which is executed at the browser (and can be modified trivially).

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log. The latest log entry at the top should have the date and time of when the issue occurred.

Take a look at the Target URL of the log entry. It has the query parameters option, view, task, e.g. http://www.example.com/index.php?option=com_foo&view=bar&task=baz&something=else&whatever=another The mapping of the query parameters to WAF Exceptions is:
Component: the value of "option". In our example com_foo
View: the value of "view". In our example bar
Task: the value of "task". In our example baz
Leave the other field blank.

IMPORTANT: In order to create a new WAF Exception you need to click on the New button. The fields appearing on the WAF Exceptions page are filters. Entering something in there will NOT create a filter.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 22 November 2014 17:20 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2014-11-22 17:20 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!