Support

Admin Tools

#24012 New features / feature removal in 3.6.8

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by appnweb on Wednesday, 23 December 2015 14:03 CST

Tuesday, 22 December 2015 15:30 CST

appnweb
Hello,

Just updated our websites to J3.4.7 and admintools 3.6.8 and while reviewing admintools waf configuration I have seen that the new functions due to joomla recent vulnerability were implemented but that the cross scripting block had desapeared.

Does that mean it is now included in another function or it is no longer provided ?

Thanks in advance for your answer.

Helene Kobel - App 'n' Web

Wednesday, 23 December 2015 01:22 CST

nicholas
It is no longer provided. We have said long ago (2 years) that it was VERY problematic, throwing a very high rate of false positives on most sites. Since the amount of hacked sites due to XSS is very low, the false positives were effectively preventing you to use this feature and that since Joomla! 1.7 XSS is dealt with FAR more efficiently at the Joomla! application level (the JInput class) we decided to remove a useless feature that we recommended our clients not to use anyway.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 23 December 2015 11:51 CST

appnweb
Thanks for the information Nicholas.

I may be unlucky but I enabled it a few weeks ago on most of our websites because we had a case that seemed to be sort of cross scripting on one of our customer website.

If interesting for you I did not encounter any problem on J3.4.5 / j3.4.6 while enabled even on websites with lots of third-party extensions.

The problems I had with the cross scripting block one or two year ago was essentially fonts missing because of the duality between the www url and the non www one. I resolved them by redirecting non www to www and adding the www in the htaccess domain.

Never had any problem with this feature since then even on website on which I kept it enabled all the way until your last update :-)

Merry Christmas

Helene Kobel - App 'n' Web

Wednesday, 23 December 2015 13:39 CST

nicholas
To be honest, I'm surprised it didn't cause any trouble. Anything that contains special characters other than a comma or a dash has a tendency to trigger XSSShield. Lucky you :)

If you do have a successful XSS attack against a site you should identify the software allowing the XSS attack to go through and update it or, if no update is available, contact its developer. XSS attacks are best handled by filtering input data.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 23 December 2015 14:03 CST

appnweb
Thanks for the advice. In the case we had, it seems it came from an old site stored by the customer in a subfolder so we just removed it.

As for your cross scripting block, I swear it's the truth, not a single issue using it on about twenty very different websites !

Anyway I am still a big fan of admintools and if you decided to remove this you're probably right. By the way thanks a lot for the new protections you implemented :-)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!