Support

Admin Tools

#40025 Reason: susparam

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.4.1
PHP version
8.1.26
Admin Tools version
7.4.6

Latest post by nicholas on Sunday, 07 January 2024 03:51 CST

pscarnegie

Nothing urgent. I received a new blocked request message for a reason I've yet to ever see and I was wondering what "susparam" relates to. I couldn't find anything in the documentation or through a google search related to "Reason: susparam"

nicholas
Akeeba Staff
Manager

As per https://www.akeeba.com/documentation/admin-tools-joomla/waf-log.html#waf-log-reasons (scroll all the way to the bottom) this corresponds to the Block Suspicious Core Parameters feature which was added in version 7.4.5. You can read the documentation of this feature here: https://www.akeeba.com/documentation/admin-tools-joomla/web-application-firewall.html#wafconfopt-susparams (this page is linked to from the previous one).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

pscarnegie

In your dropdown list of "do not send email notifications for these reasons", which option would I choose to no longer receive those "susparam". I don't see that as an option.

nicholas
Akeeba Staff
Manager

There is currently no such option. It will be added in the next release.

In the meantime, you should take the opportunity to fix the underlying problems on your sites, or disable this feature if you're going to ignore it anyway.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

pscarnegie

You make mention of fixing the underlying problem within the site, but the documentation that you referenced ( https://www.akeeba.com/documentation/admin-tools-joomla/web-application-firewall.html#wafconfopt-susparams ) references cross-site scripting issues which I thought were addressed by the 4.2.5 release ( https://www.tenable.com/plugins/was/113429 ) and I'm already using the most recent version of J4 at 4.4.1. Is there a global setting of htaccess adjustment that would need to be made in order to mitigate this particular cross-site scripting vector? The other reference you mentioned related to coding mistakes within a component, which I assume would either be core Joomla components or third party components, neither of which I wouldn't be able to address other than making sure that I keep those up to date, which I am.

nicholas
Akeeba Staff
Manager

Joomla! addresses vulnerabilities in the core code, not in third party code. It also addresses issues which are known, not issues which are not yet known. The idea of this feature, as well as all Web Application Firewall features, is to mitigate as much of the impact of the as-yet-unknown vulnerabilities as possible.

For example, when there was a major zero-day issue in Joomla! back in December 2015 that involved a SQL injection attack vector, sites running Admin Tools with its SQLiShield feature were not vulnerable. Admin Tools would catch the SQL injection and block it before it reached any part of the core code where it could do any damage.

The core parameters in question are reserved by Joomla, meaning they shouldn't be used for anything else by third party code. They always have a specific context they operate in, and filtering that needs to be applied to them. Even though they are processed by core code, they can be modified by third party code which may or may not be applying adequate filtering.

So, yes, this feature is useful in catching invalid uses of these core parameters be it an attack attempt, or a coding mistake in a third party extension. What I told you is that if you are sure it's not a legitimate attack, ask the developer of the third party extension to fix their problematic code.

In the meantime, if this feature working as it should but other third party code doing silly things it shouldn't be doing is causing an operational problem on your site you can of course disable this feature either globally through the Configure WAF page, or using a WAF Exception.

If, however, you do not have an operational issue on your site, you understand and agree that this feature like all features in a security extension has a purpose to serve, and your only problem is the emails you keep getting you have two options. One option is to just wait until the next version, when you will be able to exclude this reason from emails. The other option, and the one I recommend, is disabling all emails for blocked requests by removing your email address from the relevant Configure WAF field. These emails are meant to be a crutch during development and troubleshooting, not something you will keep enabled forever. A request is blocked, let Admin Tools handle that. You don't need to know about it. What's the point of automating security if you want to spend all your time micromanaging it?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!