Support

Admin Tools

#24139 ATOOLS_LBL_REASON_XSSSHIELD

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 11 February 2016 17:20 CST

austinseven
 All other hack attempts made to the site have been resisted/repulsed by Admin Tools firewall but 2 days ago I found this as an exception description: ATOOLS_LBL_REASON_XSSSHIELD and I cannot find out what it means, or if there is a security hole where that hole is, to enable me to fix it. So in first instance I just need to understand the message better and secondly, if theres a hole that needs fixing?

dlb
It looks like an untranslated string for a Cross Site Scripting exception. That code was removed from Admin Tools in version 3.6.7. Is this an old record? The XSS code was removed because it gave far too many false positives and the Joomla! code has improved to the point where it wasn't necessary any more, there were other, better defenses.

Anything you see in the Security Exceptions Log has been stopped by Admin Tools. No further action is required for those attacks.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

austinseven
No not an old record, popped up last week for forst time - hence the question. Thanks for the answer, very good support.

I have a second, related question. An Acunetix scan of the SQL Db suggests there are 2 HTML forms without CSRF protection, although the free Acunetix scan does not tell what forms - how does this happen if I have Admin Tools Pro running with that protection enabled? And more to the point how do I fix this?

Bill

dlb
About your original question regarding the language string, it seems the XSS Shield code was not completely removed in version 3.5.7. Please manually remove the file "plugins/system/admintools/feature/xssshield.php" and that will get rid of it.

Regarding your second question, you can enable the CSRF feature and set it to “Advanced" however you should double check if everything is working, since we’re going to inject a new hidden field in every form and ​this technique does not work with all extensions.

The Advanced setting of CSRFShield is not foolproof. Core Joomla! forms and ​most​ third party extensions won't mind but if an extension does a POST and doesn't filter the input correctly it will break. Virtuemart, for example, is an extension that is known to break with CSRFShield set to Advanced.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!