Support

Admin Tools

#26922 Admin Tools blocks MIGS

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Wednesday, 22 February 2017 17:17 CST

Wednesday, 18 January 2017 20:34 CST

gggraphics
 Hi Nicholas - I administer a site for a not-for-profit. On the site we have a donation component (Joom Donation) which handles credit card payments to our Australian bank by handing off to MIGS (Mastercard Internet Gateway System). This was working up until December 2016 - at that time Mastercard advised they were changing the encryption, which meant getting an updated plugin from the developer.
After some testing, we've discovered that the new plugin only works if Admin Tools is disabled. :( Otherwise, MIGS processes the card information, then returns a "Invalid Digital Order E5009-01191123" error.
After reading the WAF User Guide, and looking through other posts, I have:
- Turned OFF CSRF Shield
- Added JDonation Component to the WAF Exceptions
- Added .mastercard.com.au to the whitelisted domains
- Added 203.42.65.51 (https://migs.mastercard.com.au) to the Never Block IP list
- Re-ordered the plugins so System-SEF comes before Admin Tools

But it still doesn't work.
Can you suggest anything else I could try, or is there something dumb I shouldn't have done?
Cheers

Grant

Thursday, 19 January 2017 01:24 CST

nicholas
First of all, do you get any security exceptions logged from when MIGS is trying to post back to your site? If you do, please tell me the Target URL and Reason listed there. Without this information I can't really offer any advice.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 19 January 2017 15:01 CST

gggraphics
Sorry Nicholas, I should have listed that it does not log a security exception. (I had looked at that previously.)
It IS logging the usual stuff - failed logins etc. I just tried another card payment which failed, and no exception was logged.

The site is http://www.disasteraidaustralia.org.au

Friday, 20 January 2017 01:34 CST

nicholas
If it's not logging a security exception we have to make sure that Admin Tools has something to do about it.

If you only disable the System - Admin Tools plugin does the problem go away? If it doesn't I need you to tell me again what the perceived problem is because what you just observed doesn't match your original description and I don't know if I'm helping you with the problem you have or something entirely different.

If it does, we have to check a few things. For starters, are you using GeoBlocking? If you do then of course MIGS would be blocked if their server is outside the geographic areas you have allowed. It's very likely for a card processing company to use regional data centres e.g. an Amsterdam or London data centre for the entire EMEA (Europe, Middle East, Asia) region. I suppose card processing companies do the same for the Australia and Pacific region.

If that is not the case check all your IP blocking settings: Site IP Blacklist, Auto IP Blocking Administration, Auto IP Blocking History. Depending on your settings and actions you may have ended up auto-blocking the IP of the server(s) used by MIGS or manually added said IP to the Site IP Blacklist. Removing all records with that IP from all three of the aforementioned locations would allow you to actually see the security exception being raised, report it back to me and let me help you from there. If you tare not sure what is the IP just turn off the "Disallow site access to IPs in Blacklist" option in the Configure WAF page to force Admin Tools to ignore the Site IP Blacklist. Moreover, delete all records from the Auto IP Blocking Administration and Auto IP Blocking History pages. This will let you see the security exception being raised.

If despite that there is no security exception please do check your "Do not log these reasons" setting. Only something in that list could raise but not log a security exception.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 22 January 2017 19:18 CST

gggraphics
Hi Nicholas - I believe it was System-Admin Tools plugin I disabled. When I did that, the payment gateway functioned correctly (and I have a test credit card transaction to prove it....)

However, I've attempted to replicate that behaviour today to try some of your suggestions, and the gateway isn't working even with AdminTools disabled. I've cloned the entire site, moved it to another server and uninstalled AdminTools and removed htaccess files... still doesn't work.

Under the circumstances, there's not much you can do until I can get it working in some sort of controlled fashion.

Monday, 23 January 2017 01:04 CST

nicholas
Are you also using the .htaccess Maker feature? If you do, please do try replacing the contents of your .htaccess file with those from Joomla's stock .htaccess code. If that makes the problem go away I'd recommend checking with the payments gateway what is the user agent string they are using when they are contacting your site (post-back). Then make sure that you remove that user agent from the list of user agent strings to block towards the top of the .htaccess Maker interface before using it again to create a security-enhanced .htaccess file.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 22 February 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-02-22 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!