Support

Admin Tools

#26923 Bug in htaccess maker with env variable

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 19 February 2017 17:17 CST

Thursday, 19 January 2017 06:20 CST

activha
 Hello

Reverting to this ticket #20556 – hikashop and deny from env=stayout rule problem, it definitely seems that you have a problem setting the env variable with the mod_authz_core

We had to disable completely user agent checking in order to be able to use ogone server to server confirmation with our website.

Seems like the rules are not correct when using :
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env stayout
</RequireAll>
</IfModule>

It basically blocks all correct requests from user agent not listed in the list.

Could you please check this so that we could re use user agent blocking but make that this only blocks the listed user agents and not other ones ?

Looks like the Require env authorizes only listed variable but that Require not env does not work according to this page https://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html

So can you set it the other way ?

thanks
Jean

Thursday, 19 January 2017 07:58 CST

nicholas
The very fact that you have filed this ticket on our site means that the bug you are describing does not exist. We are of course using the .htaccess Maker on our site. I actually wrote that feature for the sites I manage. Moreover there are a few thousands of people already using it.

That said, .htaccess files do not operate in a vacuum. They are merged with all other inherited configuration settings. The part of the .htaccess you mentioned above tells Apache that authorization is granted when all of the following conditions are true:
  • Require all granted which, per the page you linked to "mimics the functionality that was previously provided by the 'Allow from all' ... directives". In other words this is always true. This lines exists because as the documentation puts it "If none of the directives contained within the <RequireAll> directive fails, and at least one succeeds, then the <RequireAll> directive succeeds. If none succeed and none fail, then it returns a neutral result. In all other cases, it fails". That is to say, if the not env stayout rule was the only rule then when an allowed user agent was met the result would be neutral. In the absence of a passing (true) rule the effective result would be blocked: when Apache doesn't have an explicit allow it will deny access.
  • Require not env stayout, i.e. the environment variable "stayout" has NOT been set.


So I can think of two issues here.

1. Something else is setting the stayout environment variable. In this case the second rule is always false, i.e. everything is blocked always until you remove that rule.

2. Your Apache configuration has a different, more specific, access rule which overrides the explicit allow of the first rule.

In either case this is not a bug in the .htaccess Maker but a configuration conflict in your server. Since Apache does not provide a PHP interface for reading its documentation (for very obvious security reasons) we can only offer a generic .htaccess Maker with rule sets which work in 99% of servers. Unfortunately the 1% can't be catered for. Actually, these few cases need a human to go through the configuration and check what is going on. It's not the kind of case where automation would work.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 19 January 2017 09:03 CST

activha
Thanks a lot for your answer.
That was not an attack for your products that I recognize as amongst the best in the joomla environment ;-)
That was only a report for a specific config with ingenico/ogone that we have been tracing for weeks.

1. Something else is setting the stayout environment variable. In this case the second rule is always false, i.e. everything is blocked always until you remove that rule.


I dont think that this is the case as when removing the user agent control, the variable is not set and every thing is working fine

Your Apache configuration has a different, more specific, access rule which overrides the explicit allow of the first rule.


Again we have a very simple access rule for our server and virtual host which is :
<Directory "/var/www/html">
Options All
AllowOverride All
Require all granted
</Directory>

So when using the user agent blocking, it seems like this env rule is changing the rules :-)

Do you use ingenico Ogone or do you have this gateway somewhere ?

Thursday, 19 January 2017 10:04 CST

nicholas
To the best of my knowledge this gateway is not used anywhere in pour infrastructure.

In any case, I have never seen that issue anywhere else. If you've been following my blog you know that I have set up my own servers on Windows and macOS. My Linux setup is not very different. You can actually use the Vagrant box I've made for our company's needs. I've also try the .htaccess Maker on alternate setup using MAMP (macOS, Windows) and a fairly out of date XAMPP (Windows).

I even double checked my Apache config, I have the typical deny from all on "/" and the same simple access rule for my default Apache root as you. That's the typical Apache setup.

I can't imagine what else you may have, but I recommend checking all the access rules in your Apache (main and vhost) configuration, as well as .htaccess files in all folders from the filesystem root (/) up to the folder of your site. Remember that .htaccess follows a hierarchical filesystem scan. Even .htaccess files outside the site's root will be parsed (unless you use a chroot jail for PHP, in which case things get so hairy and so fast I won't even touch your server with a ten foot pole).

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 20 January 2017 02:45 CST

activha
Hello Nicolas

I am glad to tell you that Beat from Joomlapolis helped us find the culprit of this whole story.

While we searched for apache 2.4 changes he tested the user agents protected and it turns that, in fact, Ogone/Ingenico sends Post Sale url with "Indy Library" in the header which is no where documented in their technical data or support.

This is an important point that I sent back to them but it can be important to keep this documented if others use Ogone/Ingenico payment gateway on their websites (for instance Community Builder CBsubs, Hikashop or Virtuemart use this gateway)

In any way this has nothing to do with Admin Tools software which does a great job protecting our websites.

BTW do you have a suggested list of user agent to stop for protection

Thanks for all
Best regards
Jean

Friday, 20 January 2017 04:45 CST

nicholas
Hello Jean,

Well, that's quite the opposite of what you have asked me to help you with :) The feature in .htaccess worked precisely as expected. Bad agents are blocked just fine. Your problem is that you had an agent in the list which was used by your payments processor.

FYI the "Indy Library" user agent is used by the Indy networking library for Delphi. It was extensively used by hackers, mostly in former-USSR countries, to write bots which would scrape and/or attack sites. It was also used by a few legitimate companies. It's been years since I last saw it in a legitimate use. Most, if not all, companies had already migrated their server code to either Java or, more usually, .NET instead.

In any case, the recommended list of user agents to block is the one you get when installing Admin Tools. At the time of this writing it is as follows:
WebBandit
webbandit
Acunetix
binlar
BlackWidow
Bolt 0
Bot mailto:[email protected]
BOT for JCE
casper
checkprivacy
ChinaClaw
clshttp
cmsworldmap
comodo
Custo
Default Browser 0
diavol
DIIbot
DISCo
dotbot
Download Demon
eCatch
EirGrabber
EmailCollector
EmailSiphon
EmailWolf
Express WebPictures
extract
ExtractorPro
EyeNetIE
feedfinder
FHscan
FlashGet
flicky
GetRight
GetWeb!
Go-Ahead-Got-It
Go!Zilla
grab
GrabNet
Grafula
harvest
HMView
ia_archiver
Image Stripper
Image Sucker
InterGET
Internet Ninja
InternetSeer.com
jakarta
Java
JetCar
JOC Web Spider
kmccrew
larbin
LeechFTP
libwww
Mass Downloader
Maxthon$
microsoft.url
MIDown tool
miner
Mister PiX
NEWT
MSFrontPage
Navroad
NearSite
Net Vampire
NetAnts
NetSpider
NetZIP
nutch
Octopus
Offline Explorer
Offline Navigator
PageGrabber
Papa Foto
pavuk
pcBrowser
PeoplePal
planetwork
psbot
purebot
pycurl
RealDownload
ReGet
Rippers 0
SeaMonkey$
sitecheck.internetseer.com
SiteSnagger
skygrid
SmartDownload
sucker
SuperBot
SuperHTTP
Surfbot
tAkeOut
Teleport Pro
Toata dragostea mea pentru diavola
turnit
vikspider
VoidEYE
Web Image Collector
Web Sucker
WebAuto
WebCopier
WebFetch
WebGo IS
WebLeacher
WebReaper
WebSauger
Website eXtractor
Website Quester
WebStripper
WebWhacker
WebZIP
Wget
Widow
WWW-Mechanize
WWWOFFLE
Xaldon WebSpider
Yandex
Zeus
zmeu
CazoodleBot
discobot
ecxi
GT::WWW
heritrix
HTTP::Lite
HTTrack
ia_archiver
id-search
id-search.org
IDBot
Indy Library
IRLbot
ISC Systems iRc Search 2.1
LinksManager.com_bot
linkwalker
lwp-trivial
MFC_Tear_Sample
Microsoft URL Control
Missigua Locator
panscient.com
PECL::HTTP
PHPCrawl
PleaseCrawl
SBIder
Snoopy
Steeler
URI::Fetch
urllib
Web Sucker
webalta
WebCollage
Wells Search II
WEP Search
zermelo
ZyBorg
Indy Library
libwww-perl
Go!Zilla
TurnitinBot


Note that in this list you'll see Indy Library which, as we established, you need to remove. You'll also see Wget. If you are using Wget for legitimate tasks, like scheduling backups, make sure to remove it too. You get the idea.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 20 January 2017 08:18 CST

activha
Thanks a lot for all :-)

Friday, 20 January 2017 10:40 CST

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 19 February 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!