Support

Admin Tools

#33140 Admin Tools throwing a 403 on an HTTP POST to the site

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 05 June 2020 00:30 CDT

djc
We use Admin Tools on all of the sites we do for our clients. Thank you for a great product!

We have developed an integration component that can be triggered by an HTTP Post from Infusionsoft (the CRM the integration works with). Occasionally, but not usually, we will get a 403 error returned from the HTTP post. The returned error text says it came from Admin Tools.

I am curious as to why most go through but some do not. How to I let Admin Tools know that it is OK to let these pass? Is it in the Htaccess Maker or in the Web Access Firewall configuration?

Thank you in advance.
Dom

nicholas
Akeeba Staff
Manager
Let's make sure that the problem is indeed caused by Admin Tools. In order to do so, try the following:

1. Try setting the Error Reporting level in your Global Configuration to "None". Many errors are caused by harmless PHP Notices and Warnings being output to the browser, breaking anything which requires HTTP header manipulation such as Joomla!'s session management, AJAX calls and download systems.

2. Try to replicate the issue after disabling the "System - Admin Tools" plugin. If you can still replicate the issue, it is not caused by Admin Tools. Disabling that plugin means that Admin Tools code (including the Web Application Firewall) is not running on your site.

3. If you suspect an issue with the .htaccess file, replace its contents with the contents of the stock htaccess.txt file shipped with every version of Joomla!. If you are on GoDaddy please wait for 1-30 minutes for the changes to be effective. Then, retry loading the problem page. If you can still reproduce the error, then it is not caused by .htaccess Maker.

If doing any of the above resulted in the issue still occurring, it's not related with Admin Tools and we can't help you. If doing any of the above did stop the issue from occurring, we'll have to do some troubleshooting.

First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

If, however, you do not see a log entry, or the Date and/or IP address do not match your last access, this problem is not caused by Admin Tools' WAF. In this case, you will have to do some .htaccess troubleshooting. You may need to read the general .htaccess troubleshooting page, as well as the page on finding out necessary .htaccess exceptions.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

djc
Thank you Nicholas for the quick reply.

I know that this is from Admin Tools because I got this in the 403 error return:
403 - This request is blocked by Admin Tools. Please change this message in the component's options. If you are the administrator of this site and have blocked your own IP address on accident please visit https://aimastermind.com/administrator/[email protected] where [email protected] is the email address of your (Super User) account. This URL will only send you an email if the IP address from which you are accessing it is being blocked by Admin Tools. If you are not blocked no email will be sent; you don't need an email with instructions to unblock your IP if your IP is not blocked.

I do not suspect an issue with .htaccess necessarily but was wondering if in all the .htaccess settings Admin Tools provides there is someplace there to modify.

This site gets these HTTP Posts regularly from the CRM, and only infrequently do we see these errors come back from the Post, so it is hard to replicate.

The Log security exceptions was set to Yes....I looked through the log and found a Frontend Edit Admin User with the correct URL at 21 May 2020-05-21 16:41:29 EDT. The CRM reported the 403 at 2020 5:59 PM EDT, that is over an hour difference...not sure it is the same event. I cannot seem to look up 35.230.18.33.

Thanks,
Dom



nicholas
Akeeba Staff
Manager
I think that your integration is trying to save the Joomla user object for a user account that has administrative privileges (Manager, Administrator or Super User). This is potentially dangerous that's why we give you the option to catch it as a security exception.

If you ware absolutely certain that you are handling this the right way you can use the WAF Exceptions feature to add an exception for your integration component.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

djc
Thank you again Nocholas for your reply.

Yes, our integration creates and modifies users in Joomla. I know that Admin Tools catches the saving of users that have administrative privileges and we want to be warned of that. In fact, our integration will not save any Super User account information regardless of whether Admin Tools is installed or not.

However, in this instance, this was creating a new user that was not going to have administrative privileges. In fact, when I reposted that step in the CRM it went through without a problem. That is my dilemma, lots of calls to our integration are made from lots of websites without a problem, but every once in awhile, we get this from Admin Tools. I am trying to track it down.

I appreciate your help!
Dom

nicholas
Akeeba Staff
Manager
I can tell you how exactly this is triggered to help you narrow down your search. We install a handler that Joomla calls right before creating a user. Joomla passes us an array of the data to be used for creating the user. Part of that is the groups key, itself a simple array of the Joomla user group IDs which will be assigned to the user. If one or more of these groups have the backend access privilege we consider it creation of a privileged user or user privilege escalation and block the request.

So, somewhere, sometimes, somehow your integration is sending a user group that's not safe as it has backend privileges. Most likely it sends the correct user group ID but there's an oversight in this group's privileges in Joomla, accidentally giving it more access than you should have.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

djc
Unfortunately, this user group is what most people are put in and most go through without a hitch.

I am NOT saying that there is something wrong with Admin Tools, just trying to get to the bottom of it.

Just had a thought....is it a possible race condition as we have a handler that is called right before a new user is created? I am not the developer of this integration, only the functional designer, so I do not know how the internals of Joomla work.

Thanks,
Dom

nicholas
Akeeba Staff
Manager
That'd depend on what that code does. You can't really have a race condition if both pieces of code run inside the same page load since PHP code runs linearly.

Instead of wondering you can turn on the logging in Admin Tools and examine the log after the fact. The entire request will be stored there, including the user group assignment that triggered the security exception.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

djc
Logging is and has been on. I found the log entry, but could not get any details....I must be missing something. I looked in the documentation but could not find how to get the details of a log entry....again, I must have missed it. Do I need to turn on debug logging?

Anyway, I have wasted enough of your time, and appreciate your help. I am at a loss as to why most of the time everything goes well with the HTTP Posts, but every once in a while they are rejected. We are creating a user in a user group that is a child of Registered. And when the HTTP Post is rerun, all works fine....see the attached screenshot.

Again thank you for your help! I'll get it figured out sooner or later.

All the best,
Dom

nicholas
Akeeba Staff
Manager
Your screenshot is most definitely not something that Admin Tools created or showed to you. Again, you need to turn on logging in Admin Tools and examine the log it generates after the fact. The entire request will be stored there, including the user group assignment that triggered the security exception. Here's how.

Components, Admin Tools, Web Application Firewall, Configure WAF. Click on the Logging & Reporting tab. Set "Keep a debug log file" to Yes.

Wait for the issue to happen again.

Correlate the log entry in the Security Exceptions Log with the contents of the file YOUR_LOG_DIRECTORY/ admintools_breaches.php where YOUR_LOG_DIRECTORY is your Joomla log directory, typically set to administrator/logs under your site's root. This file contains the entire request which was blocked by Admin Tools. Show that to your developer.

For info on that option please read the documentation at https://www.akeebabackup.com/documentation/admin-tools/web-application-firewall.html#waf-configure-logging-reportingwafconfopt-debug-log

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

djc
I know that the screenshot was not from Admin Tools, it was not meant to be. It was from the CRM we use (Infusionsoft) and meant to illustrate that reposting the HTTP Post goes fine with all the exact same parameters. So, why was it forbidden the first time?

Once again, I have logging on, to prove it, since you keep coming back to that here is a screenshot of that. I did not have debug log file set to yes, so thank you for that, suggestion.

I am sorry that I seem to be having a hard time explaining the problem.

Dom

nicholas
Akeeba Staff
Manager
We established that your request is blocked because of a Frontend Edit Admin User exception. I explained, in detail, how this feature works. If you don't believe me the code is right there for you and your developer to see.

I told you that the best way forward is to see what exactly is the data that your site is receiving so you can understand both why the request is being blocked and help you troubleshoot your CRM integration which I did not write and I have nothing to do with. In fact, I told you twice how to do it.

At this point I'd like to explicitly state what is painfully obvious to anyone looking at your screenshot. It only tells you which URL the POST was sent to and the HTTP response received. It DOES NOT tell you which data it sent. Please re-read everything I told you from here and up to this reply here very carefully. The key to understanding the problem is in the data that you see neither in your CRM's callback history nor in Admin Tools' Security Exceptions Log. You need the raw POST data that was sent to your site and I've already explained, twice, how to get it.

Show this thread to your developer. They will know how to proceed from here.

Ultimately, this is not an issue in Admin Tools. I have re-run the automated tests we have for that feature and did several manual tests myself. It is not triggered unless a user is being saved and either the user belongs to a group with backend login privileges or saving the user would assign them to any group that has login privileges.

I think at this point I will have to close the ticket because we are having a circular conversation about something that's well outside the purview of our support.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!