Support

Admin Tools

#9737 Possible conflict between WAF and Joomla core JS

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Randy Prue on Wednesday, 06 April 2011 19:42 CDT

Tuesday, 18 January 2011 09:50 CST

user21438
Hi,

I just to report a possible conflict between the Admin Tools Pro WAF and /includes/js/joomla.javascript.js. If you have Remove all instances of Joomla from the output set to Yes, /includes/js/joomla.javascript.js becomes /includes/js/.javascript.js and doesn't load the JS file.

This broke certain functionality of a component I was working with and this ended up being the culprit. Maybe WAF can have an exception list?

Best,

Matt

Tuesday, 18 January 2011 09:58 CST

nicholas
This is a known bug. That feature is too powerful and meant to only be used on tiny blog or company presentation sites. The other WAF features actually make a much better job at eliminating the instances of "Joomla!" which sniffers usually try to detect.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 January 2011 10:18 CST

user21438
Thanks Nicholas! When you say "bug" you mean "feature", right . It is certainly a powerful feature, thanks for including it.

Best,

Matt

Tuesday, 18 January 2011 10:36 CST

nicholas
Well, it is a feature and works as advertised. But it's causes most sites to malfunction -even though that's by design- that make me call this a bug :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 January 2011 10:41 CST

user21438
LOL! I hear ya. It does work VERY well. Is it something that could have an exclusion filter, even hard coded? Just curious.

Best,

Matt

Tuesday, 18 January 2011 10:45 CST

nicholas
Hardly. It is just a regex replacement filter.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 January 2011 10:54 CST

user21438
No worries. I am now aware of how powerful it is. It's great to have.

Thanks!

Best,

Matt

Tuesday, 18 January 2011 17:16 CST

slaes
or since in only strips the html output, creating another file in the same directory called .javascript.js will fix this issue all together and you can still use it :)

https://www.akeebabackup.com/support/forum/topic/26972-tip-when-stripping-joomla-output.html

Tuesday, 18 January 2011 17:22 CST

nicholas
That's an interesting thought! And, yes, it works (just tested). Well done!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 January 2011 18:03 CST

Randy Prue
This makes me nervous:
"But it's causes most sites to malfunction"

This piques my curiosity:
"The other WAF features actually make a much better job at eliminating the instances of "Joomla!" which sniffers usually try to detect."

What is WAF? Is that the firewall? When you say that other features do a better job of eliminating instances of "Joomla!"... how is that? What else is there that eliminates the "joomla"?

Maybe I should not run the "joomla" remover option.

Tuesday, 18 January 2011 18:38 CST

slaes
Randy Man, you need to have a flick through the manual, Its awesome and by far the best i have ever seen, it explains everything perfectly, Nicholas is a MACHINE!

Yes waf is the firewall. By saying it causes most sites to malfunction i guess he's just warning people, rightly so. Other features like remove joomla generator and replace with something else and etc. The manual explains exactly what they do, they are great! Obviously re the joomle stripper nicholas doesnt recommend it on everyt type of site however personally i like to use it on everything, you just need to know how to solve the problems if it causes you any.

Best way to diagnose the problems is when they arise.
- turn stripper on
- find problem page
- turn stripper off
- look thorugh source code easily finding problem, obviously your looking for joomla or joomla!
- rectify issue with new files (take into account what that file does re joomla updates and should it need chenged regular, make mental not)
- turn stripper back on and make sure working.
- ALL GOOD!

Tuesday, 18 January 2011 21:49 CST

Randy Prue
Thanks again, Slaes. I am in fact reading the manual as I do this, working through the meat of it, and checking the site (then backing up, etc.). This will take a few days, a bit each day.

I also was not aware until now that the "other" Joomla stripper (replacer on the generator tag) was in there. I knew it was somewhere.

I have a few lists of what to run and what to accomplish, am working through that list.

Tuesday, 18 January 2011 22:30 CST

slaes
the manual is awesome man, best i have ever seen with any cms 3rd party product, u can just tell lots of effort went into it.

when u get used to admin tools, can easily be setup in 5 minutes from scratch. for the generator tag, put in Drupal 7 and for the other 2, put in ASP.Net, lol, pretty cheeky shit!

you'll be fine man, kick some ass!!

Wednesday, 19 January 2011 01:10 CST

nicholas
As slaes pointed out, the procedure for making sure that the Joomla! strip will not cause problems is, simply, trial and error. That's why I don't generally recommend it; most users don't have the patience to go through this process. Besides, most fingerprinting attacks look at the generator tag, HTTP headers, and try to download extension XML and translation INI files.

For the first two, you can customize the output using Admin Tools. Use something funky, which will throw off fingerprinting scripts. If you take a look at the generator of this site you'll see that it's set to "IceTeaLemon" and the HTTP header is a geeky reference to caffeine ;) Direct access to extension XML and language INI files is automatically dealt with when you enable the front-end protection in .htaccess maker. That's adequate to block most fingerprinting attacks which are used by automated hacking scripts to "harvest" a list of potential Joomla! site targets before launching unattended hacking attempts.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 19 January 2011 06:44 CST

Randy Prue
For the manual, and since I have been writing them for decades, Nicholas' manuals are absolutely the best I have seen for any CMS product. The Joomla Pack manuals really impressed me, and the new manuals follow suit.

Thanks to both of you for the tips. I will be starting my day now, caffeine in hand, manual beside me. I also have content work to do, so I do not always have the entire day to devote to learning and applying the tools. Since the sites are live, I am doing this very cautiously.

Wednesday, 06 April 2011 13:19 CDT

Randy Prue
Just for an update on this point:

On 6 sites, we created a copy of joomla.javascript.js and renamed the copy to .javascript.js

If anything needs the file with either name (a JS file is read and used, not written to), well it is there with either name that may be called. As Nicholas tested it, we also tested it. It works.

Thanks to slaes for that idea. It is quite possible (I think) that the naming of this file will never actually be a problem, but what the Hay!

Side note: artist gave me design_joomla.png and in my errors on the site was file missing: design_.png ... I used slaes tip. I copied the file. Names it design_.png and now I don't care what version is requested. It is there.

Wednesday, 06 April 2011 18:27 CDT

slaes
Hey Randy,

Instead of renaming joomla.javascript.js its best that you just copy it and then rename the copied file to .javascript.js and your all set, covered nomatter what is looked for. The file is needed for functions relating to front end js, logging in and out properly, saving frontend articles etc.

Its best you have both and your covered.

Wednesday, 06 April 2011 19:42 CDT

Randy Prue
Hello, Slaes. Yes, I understood your instructions, and that is exactly how and why I did it... two copies. Works like a charm. I was wondering what it was for! Thank you for that information.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!