Support

I'm not at all certain that Admin Tools is blocking you. The 403 Forbidden HTTP status comes from Apache, not Admin Tools. It's far more likely that you have either a .htaccess directive or a web server-level firewall setting blocking this request. My educated guess is that since this URL contains base64 encoded data as part of the path there's a rule placed in the web server's mod_security2 firewall (note: this is something installed on the web server, NOT Joomla!) by your host. If I'm not mistaken that's a rule from the OWASP ModSecurity Core Rule Set Project regarding a very old base64 attack vector in WordPress which should be easy for your host to disable on your site.

That said, let's make sure that the problem is indeed not caused by Admin Tools. In order to do so, let's try the following:

1. Try setting the Error Reporting level in your Global Configuration to "None". Many errors are caused by harmless PHP Notices and Warnings being output to the browser, breaking anything which requires HTTP header manipulation such as Joomla!'s session management, AJAX calls and download systems.

2. Try to replicate the issue after disabling the "System - Admin Tools" plugin. If you can still replicate the issue, it is not caused by Admin Tools. Disabling that plugin means that Admin Tools code (including the Web Application Firewall) is not running on your site.

3. If you suspect an issue with the .htaccess file, replace its contents with the contents of the stock htaccess.txt file shipped with every version of Joomla!. If you are on GoDaddy please wait for 1-30 minutes for the changes to be effective. Then, retry loading the problem page. If you can still reproduce the error, then it is not caused by .htaccess Maker.

If doing any of the above resulted in the issue still occurring, it's not related with Admin Tools and we can't help you. If doing any of the above did stop the issue from occurring, we'll have to do some troubleshooting.

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

If, however, you do not see a log entry, or the Date and/or IP address do not match your last access, this problem is not caused by Admin Tools' WAF. In this case, you will have to do some .htaccess troubleshooting. You may need to read the general .htaccess troubleshooting page, as well as the page on finding out necessary .htaccess exceptions. If that still doesn't help please read my comment at the top of this reply about my educated guess on where the problem lies and please forward our entire conversation to your host so they can help you.

I'm sorry, but I have to repeat myself since you only follow half of the instructions.

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

OK, I see. There's a tmpl= in your URL but it's empty. That's an invalid URL to begin with. The proper way to deal with it is contact HikaShop and ask them to investigate why an empty tmpl is being used and suppress it from the URLs they are generating. In other words, it seems to be a bug in Hikashop which went undetected because Joomla! is currently (and erroneously) ignoring an empty tmpl query string parameter.

Meanwhile, you want your site to work. You can go to Admin Tools, Web Application Firewall, Configure WAF and disable the "Block tmpl=foo system template switch" option under "Visual Fingerprinting Protection".

I'll leave the ticket open for another 15 days. When you hear back from Hikashop please let us know. Thank you!

Is it possible that you are using a SEF component which gets confused and ends up with the empty tmpl? Or is it possible that you simply forgot to copy that bit? :) I suspect it's the latter. In this case go to Admin Tools, Web Application Firewall, Configure WAF and click on the Visual Fingerprinting Protection tab. Find the "List of allowed tmpl= keywords" setting. It currently reads something like

component,system,raw,koowa

Append ,ajax to it so it now reads

component,system,raw,koowa,ajax

If that works please tell Hikashop that the tmpl they should be using is called "raw". Use of non-standard tmpl keywords is discouraged not because of Admin Tools, but because system and content plugins tend to mistakenly look at tmpl instead of format to decide if the output is HTML or not. I'll see Nicolas tomorrow in JoomlaDay Norway so if they have questions you can tell him to ask me in person :)

Their suggestion is wrong. Disabling the tmpl= check in Admin Tools opens your site to potential security issues. The simplest workaround is what I mentioned, i.e. add ajax to the list of allowed tmpl keywords. The correct fix is Hikashop using tmpl=raw, not tmpl=ajax. But that requires them actually knowing how Joomla! works which, based on their replies, I am not sure they do to the extent I do. Then again I am one of a handful of people who know Joomla's codebase inside out. If only they'd listen to me. I tried talking to Nicolas but he wouldn't see the problem he's causing by not using Joomla as it's intended to be used. I can't do anything else about it. You are their client, though, you can put pressure on them.