Support

Admin Tools

#29209 Admintools and Yootheme Pro

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 15 February 2018 10:55 CST

Wednesday, 14 February 2018 05:56 CST

TorstenL
Hello,

I´ve built a site with Yootheme Pro, when I start the "Yootheme Page Builder" i get the message:


So I tried to create a WAF exception, but that does not seem to be working:


Also read the following thread:
Your text to link here...

Only way I´ve found is to disable the DFI shield, but I guess this is not recommended.

Many thanks in advance
Torsten

Wednesday, 14 February 2018 07:09 CST

nicholas
You were almost there. You should create a WAF exception BUT the Component field should only include the value of the URL's option parameter. For example, if the URL for the builder is index.php?option=com_whatever&view=foobar&something=another&whatever=wedontcare you need to set
Component: com_whatever
View: foobar
Unfortunately your screenshot is useless for us to help you since you have pixelated the parts which probably contain the useful information and only show us clearly the wrong stuff you put in there.

I hope that helps!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 14 February 2018 14:19 CST

TorstenL
Hi Nicholas,

many thanks for your reply.
Here´s the complete code, only pixelated out the URL of the site as this not a live site:


So I tried it with this config (and some other more) but can´t get it to work:


Best regards
Torsten
Edited by TorstenL on 2018-02-14 14:26 CST

Wednesday, 14 February 2018 20:11 CST

nicholas
I see that the problem is actually in the Page Builder itself. It's as if it's written by people who have never developed software for Joomla. The return URL is URL-encoded instead of base64-encoded, that's why it's triggering DFIShield. It's also why it's confusing you.

There is no view parameter in the action URL itself. That %3Fview%3Dform is part of the encoded return URL. As such it's not part of the information Joomla sees and that's why your rule does not work.

Correct rule:
Component: com_ajax
View:
Query Parameter: return

Yes, you need to leave View empty as there's no view parameter in com_ajax (ever).

I would also contact Yoo and let them know that they should base64-encode the return URL to prevent similar issues. While Admin Tools can be told to ignore this issue, most web server security modules can not and may block requests to page builder. That's why Joomla always base64-encodes return URLs and has done so for over a decade.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 15 February 2018 01:25 CST

TorstenL
Thanks for the update and the explanations, Nicholas.

I tried as you suggested but I still get the same error. Here´s a screen of the current configuration:


I will also pass this to Yootheme but I don´t know if (and when) they will change the architecture of the Builder. I´ve noticed that there are a few users having this issue.

Many thanks
Torsten

Thursday, 15 February 2018 04:04 CST

nicholas
"Same issue" according to my experience is very misleading. Go to the security exceptions log and post here the Target URL and Reason for being blocked.

Kindly note that I'm trying to help you based on missing information. I don't know what is in the blurred parts of the URL. Based on your misunderstanding of even what the view in that URL is I am afraid that you are hiding from me something REALLY IMPORTANT that makes all the difference. If you cannot share the full Target URL that's being blocked I cannot help you.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 15 February 2018 05:06 CST

TorstenL
Hello Nicholoas,

here is the full URL:

http://bauwagen-ag.daniela-springer.de/index.php?p=customizer&option=com_ajax§ion=builder&site=%2F&return=http%3A%2F%2Fbauwagen-ag.daniela-springer.de%2F%3Fview%3Dform%26layout%3Dedit%26a_id%3D1%26return%3DaHR0cDovL2JhdXdhZ2VuLWFnLmRhbmllbGEtc3ByaW5nZXIuZGUv

Reason: DFI Shield

Best regards
Torsten

Thursday, 15 February 2018 06:18 CST

nicholas
OK, now that makes more sense. First of all, since other people may read this, the § character is meant to read & section. I don't know how it got encoded.

You need to make two rules. One is the rule you already have. The other is:

Component: com_ajax
View:
Query Parameter: site

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 15 February 2018 07:04 CST

TorstenL
Hello Nicholas,

many thanks for helping me out, it works like a charm now :)

Best regards
Torsten

Thursday, 15 February 2018 10:55 CST

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!