Support

Admin Tools

#23038 Slurp

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 28 July 2015 01:32 CDT

Monday, 27 July 2015 21:54 CDT

emeryjay
With Admin Tools, I block template in URL queries. I just got a security exception that Yahoo Slurp was blocked because it executed a template in URL command.

I checked the IP address and it is definitely slurp. 68.180.229.110

Here is what the bot did http://bytewriter.com/component/mailto/?tmpl=component&template=ja_fubix&link=1541a02d46b8840dfc3b1a32166f1d2696b71672

Why would slurp use that query to index the site? Obviously it reveals that I am using a joomla template.

It prompts some questions:

1. If I white list the IP or IP range so slurp can index, will the template in URL setting still block it?

2. Should I go to the effort to obfuscate the template name, which would require quite a bit of work and recoding I think.
Emery

Tuesday, 28 July 2015 01:32 CDT

nicholas
You need to enable the "Allow site templates" option in the Configure WAF page. As written in the documentation:

Enabling this option partially overrides the previous option (the blocking of template=foo in the URL). If the template= URL query parameter specifies the name of a template which exists in your template directory, then it will be allowed without raising a security exception. This is required only on sites which are using more than one template at the same time. What we mean by that is that you can go to Joomla!'s back-end, go to Extensions, Templates and assign any of the installed templates to any number of menu items. When you do that, several core components –including com_mailto, powering the "send this page by email" icon in your articles– have to append template=yourDefaultTemplateName to the URL. This would cause your site to throw security exceptions whenever a legitimate visitor would, for example, try to send an article by email to a friend of his. By enabling this option you prevent this security exception from being raised.


The emphasis is mine. It describes exactly what is going on with your site as made clear by the component/mailto leading part of the URL's path.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!