Support

Admin Tools

#21724 jsmallfib triggers block

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 18 January 2015 17:20 CST

Wednesday, 17 December 2014 18:06 CST

trogladyte
 Hi Nicholas

I have a client needing to be able to upload new versions of his software from time to time (he's a payroll company). I have set up JSmallfb - http://www.smallerik.com/index.php/joomla-extensions/jsmallfibpro - to facilitate this.

The problem: I installed and configured JSmallfb, added a menu item and iploaded a couple of files. Immedaitely Admin Tools locked me out and, looking in the backend, I'd been blacklisted for a DFI Shield attack. Now this is great that AT is doing its job, but how can I work around this, so my client can upload his files?

Thanks.

Thursday, 18 December 2014 01:33 CST

nicholas
I assume this extension installs a component. I also assume that the Target URL you see always has the same option and view. This means you can add a WAF Exception for this component and your problem will be solved.

Please note that it is generally an EXTREMELY BAD IDEA™ allowing file uploads in the front-end by a solution which throws DFIShield exceptions. It means that this solution communicates the internal, absolute server path of the uploaded file to the browser. This is called information leak and it's considered a security issue (albeit on the lowest of the three severity levels). By adding a WAF Exception you will give it free reign to do whatever it wants without being subject to Admin Tools checks. Be warned that if this solution contains other security vulnerabilities your site will be hacked and Admin Tools will not prevent it because you'll have told it not to.

IMHO, you don't need this component at all. You just need to teach your users how to use the media manager in the back-end of their site. You may have to adjust the Options of the media manager to allow EXE and MSI uploads (I suppose that's their software delivery format) and maybe change the maximum post and upload sizes in the server's php.ini.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 18 December 2014 14:18 CST

trogladyte
Yes, that's a good point about the security hole. I think I can teach this client to do that OK - he's a programmer himself (but a lousy web designer!!) so it shouldn't be an issue.

I suspect a component like JEFUM (assuming they update it to J v3) would suffer the same problem as JSmallfib with its triggering of Admin Tools? I like that one the best as it's done from a desktop GUI rather than directly on the site so it's a little more user-friendly.

So is it safe to say that pretty much any file uploader other than Joomla's native one is going to trigger DFI Shield?

Appreciate the reply Nicholas.

Thursday, 18 December 2014 17:20 CST

nicholas
Any uploader in the front-end of the site will trigger the DFIShield protection if it's written in an insecure manner. Considering that all the third party uploaders I've seen use the same libraries for staggered uploads I am pretty sure they will trigger it. If you are using an uploader in the back-end of the site the DFIShield won't be triggered.

All that said, I am against using an uploader altogether. No matter how well you code it you still have user-facing code modifying files on your server. That's a security incident waiting to happen. What's wrong with using SFTP?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 18 December 2014 18:33 CST

trogladyte
I agree with you Nicholas. I've just been too lazy to learn the ACL setup in Joomla (bad boy yes I know!). After this to and fro I delved into it and found it was really quite easy to set up and that's what I've done.

Yes, I could have used SFTP too.

Friday, 19 December 2014 02:01 CST

nicholas
SFTP is the much better way to handle uploads. Especially when you give each user their own certificate or their own username/password pair.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 18 January 2015 17:20 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2015-01-18 17:20 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!