Support

Admin Tools

#41699 YOOtheme 403 on frontend

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.2.4
PHP version
8.3
Admin Tools version
latest

Latest post by nicholas on Monday, 10 March 2025 04:28 CDT

Monday, 10 March 2025 04:19 CDT

messagedj

I am having issues with frontend editing with Yootheme. When I try to open the builder in the frontend I get a 403 error. When I disable Admin Tools everything is working properly, so it is not a .htaccess thing.

We detected that your latest request may have been part of suspicious activity and has been blocked. If you believe you are getting this message in error please let us know through our site's contact form.

the url : /component/ajax/?p=customizer&templateStyle=9&section=builder&format=html&site=%2F&return=https%3A%2F%2Fxxxxx.nl%2F%3Fview%3Dform%26layout%3Dedit%26a_id%3D1%26return%3DaHR0cHM6Ly9yZWdpb25hYWx0YWxlbnRjZW50cnVtLm5sL2luZGV4LnBocA%3D%3D

Block tmpl=foo system template switch = No
Block template=foo site template switch = No

And a WAF exception 

Select com_ajax Ajax Interface
com_ajax		 (All) template 1
it makes me clueless. 

Monday, 10 March 2025 04:28 CDT

nicholas

You had the right idea about creating a WAF Exception, but you probably missed the actual reason (which I am pretty sure is listed as DFIShield) in the Blocked Requests Log page.

The problem I see here is site=%2F which when URL-decoded becomes site=/. This looks like an absolute filesystem path which is blocked by DFIShield. Therefore, you need to change the Query Parameter of your WAF Exception to site.

There's also a possibility that the return parameter causes the request to be blocked with an RFIShield reason. If that's the case, create another exception just like the one you have, but with the Query Parameter being return. You should also ping YooTheme and let them know that the return parameter should be base64-encoded so as to follow Joomla's conventions on return URL parameters. Not a major issue, but having consistency across all first and third party exceptions helps a lot when someone's troubleshooting a site :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!