Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by hbproph on Wednesday, 22 December 2021 03:04 CST
Good afternoon.
I have a little problem, i found that admin toold blocking the pdf articles in my easyblog.
URL:
https://csakamainap.club/index.php/cikkek/az-anonim-alkoholistak-kozossege-magyarorszagon
Picture: Block-1
Attached the pictures why i think this is admin tools
Can you please tell me how can i solve this?
Thank you for your help!
Per your screenshot, the error you get in the browser's dev tools is
Refused to load the script 'https://.../media/com easyblog/pdfjs/build/pdf_js'because it violates the following Content Security Policy directive: "script-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
This happens because you have enabled the "Disable client-side risky behavior in frontend static content" feature in the .htaccess Maker. You can disable that feature.
The real root cause of this problem is that the PDF viewer in EasyBlog is a JavaScript solution which not only adds HTML to your page but also executable script tags. This is a very dangerous practice, most commonly used by attackers to hijack content on a page. There is no reason for any script hosted on and served from the same site as the displayed HTML content to use this outdated and dangerous technique. This has been a solved problem for well over 15 years now.
This is not the first time we get a ticket about EasyBlog's PDF viewer with the exact same issue. Please contact its authors and tell them to update their JavaScript so it does not generate <script> tags. It's 2021. There's no reason to write JavaScript like it's still 1999.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thank you very much Nicholas!
You explained everything, and i know enough.
I have one question please.
Now i completely disabled a security component in my admin tools what really not make me happy.
Can i just remove the "js" from here?
screenshot is in the next reply sorry
Thank you for your response
No, you MUST NOT remove js from the “Frontend file types allowed in selected directories”! This would BREAK your site as it is a completely unrelated option.
In fact, if you were to do that you'd prevent any and all JavaScript files — even Joomla's and Admin Tools' — from executing at all. This would make it impossible to even use your site's administrator.
The security option I had you disable is not a vital one. To the contrary, it's what I call “paranoid level of security”. The attack it's meant to prevent is if somehow someone uploaded a malicious static file which can have executable JavaScript code i.e. an HTML, SVG or JS file. If you viewed (HTML, SVG) or executed (JS) this file it would run its malicious JavaScript code in the context of your web browsing session. This would allow the attacker to subvert your site, for example by stealing your login cookie or adding invisible fields on top of login forms to steal the username and password of unsuspecting users. What our "Disable client-side risky behavior in frontend static content" feature does is send an HTTP header alongside with these files which tell the browser “if this file tries to execute any JavaScript (HTML and SVG only) or create executable <script> tags in the document KILL IT AND DON'T RUN THAT CODE”. It's a very efficient workaround to an extremely unlikely issue.
Why do I say extremely unlikely issue? Well, Joomla will by default not allow untrusted users to upload HTML, SVG or JavaScript files at all! You'd need either an insecure extension which does not respect Joomla's upload restrictions OR a malicious Administrator or Super User to upload those files. Therefore, the protection offered by this feature is truly for the paranoid among us.
Your site is not, practically and realistically speaking, more vulnerable disabling that option. If that was the case I would have warned you and told you to use a different extension. I am not known for mincing my words or irresponsibly telling people to disable security features they definitely need. Quite the contrary.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Hi Nicholas,
Thank you very much for your deep explanation!
What a pity that you dont have a channel for training on this topics, as you are extremely experienced.
You would make a big money to share your knowlede. :-)
Im not touching anything after your advise.
Also i took up the contact with easyblog dev team they are investigating their code based on your advise.
Thank you very much again!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!