Support

Admin Tools

#24325 Minor documentation update for Configure WAF Security Exception Message

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by mikeprince on Monday, 01 February 2016 07:53 CST

mikeprince
Under Configure WAF -> Show errors using a customisable HTML template the tooltip says "The default HTML template file is located in the components/com_admintools/views/blocks/tmpl/default.php file." whereas it is actually in components/com_admintools/views/wafexceptions/tmpl/default.php.

nicholas
Akeeba Staff
Manager
Um, no, not at all. Unfortunately you're wrong and you're about to introduce a security hole to your site by not following our instructions and following an arbitrary course of action.

The file we tell you in our tooltip to look for is <SITE ROOT>/components/com_admintools/views/blocks/tmpl/default.php. This is the file you need to override.

The file you mention in your ticket is actually located in <SITE ROOT>/administrator/components/com_admintools/views/wafexceptions/tmpl/default.php, it is NOT in the front-end of the component, it is NOT even in the path you are claiming it is and it has absolutely nothing to do whatsoever with the message shown in the front-end. DO NOT USE THAT FILE AS THE FRONT-END BLOCK MESSAGE TEMPLATE. Doing so can introduce an information leak (security hole!) to your site.

Furthermore, just opening these two files makes it obvious which one is the file you need to override. Opening <SITE ROOT>/administrator/components/com_admintools/views/wafexceptions/tmpl/default.php gives you a sea of PHP and Javascript code. Exhibit A: https://www.dropbox.com/s/lg36wly34g7q7et/Screenshot%202016-02-01%2012.06.16.png?dl=0 Apparently it doesn't look like a block message, not to mention there's a form in it!

If you do open the file we told you to open, <SITE ROOT>/components/com_admintools/views/blocks/tmpl/default.php, you will see that it's a simple HTML template. Exhibit B: https://www.dropbox.com/s/1vqx5f7iamjkp3a/Screenshot%202016-02-01%2012.06.31.png?dl=0

So I am more 100% sure that our tooltip is correct :) Be very careful which file you override. Also note that components/com_admintools (public front-end of the Admin Tools component) and administrator/components/com_admintools (administrator back-end of the Admin Tools component) are two entirely different folders. We will never type components/com_admintools when we mean administrator/components/com_admintools or vice versa. Mixing front-end and back-end application code can introduce security issues unless extreme care is taken, hence we never ask you to do that yourself.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

mikeprince
Oops, my apologies, although I thought I'd double-checked I was looking in /administrator. Haven't actually overridden it though, so no concerns there :-) Sorry for the confusion.

nicholas
Akeeba Staff
Manager
No problem :) I just wanted to prevent you from doing something unsafe on your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

mikeprince
Sorry I made you spend so long writing a detailed explanation. :-)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!