Support

Admin Tools

#9895 paypal blocked by htaccess configuration

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 14 June 2011 16:37 CDT

Friday, 10 June 2011 11:39 CDT

mneese
Mandatory information about my setup:

Have I searched the forum before posting? yes
Have I read the Troubleshooting Wizard before posting? some
Have I read the documentation before posting? most
Joomla! version: 1.5.23
PHP version: 5.23
MySQL version: 5.1
Host: rochen
Admin Tools Professional version: 2.05


Description of my issue:
paypal updates for purchases are not completed...please refer to the log sheet attached...i have front end security at this point disabled (other complex issues), and the backend is enabled...
After installing the admin tools w/htaccess configuration, paypal no longer completes order information...
Here is list of exceptions....

DIRECT ACCESS TO FILES:

components/com_k2/k2.php
components/com_k2/js/k2.js
media/k2/galleries
components/com_uddeim/captcha15.php
components/com_virtuemart/fetchscript.php
administrator/components/com_extplorer/fetchscript.php
plugins/system/GoogleGears/gears-manifest.php
plugins/content/jw_allvideos/includes/jw_allvideos_scripts.php
plugins/content/jw_sigpro/sigpro.engine.php
plugins/content/jw_sigpro/sigpro.download.php
administrator/components/com_akeeba/restore.php
administrator/components/com_admintools/restore.php
plugins/editors/tinymce/jscripts/tiny_mce/tiny_mce_gzip.php
administrator/components/com_k2/lib/simpletabs_1.3.js
administrator/components/com_k2/js/k2.mootools.js


DIRECT ACCESS TO DIRECTORIES -php files
components/com_agora/img/members

I tried to shotgun this thing and maybe hit a directory for exception, but can't change things...this list is for the back-end directories allowed exceptions...
components
modules
templates
images
plugins

Any suggestions would be appreciated...

http://www.gertrudezachary.com




Friday, 10 June 2011 13:19 CDT

nicholas
I assume that you are talking about accepting PayPal payments with VirtueMart, right? In this case, just add the following file to the list of allowed files:

administrator/component/com_virtuemart/notify.php

In this directory you will see an assortment of .php files for payment notifications of other payment gateways. If you need to use any of them, please add these to the list of allowed files.

Note: I have talked to the VirtueMart developers about their unsafe practice of having arbitrary entry point (rogue PHP files which must be accessible over the web). They have solved this problem in the upcoming VirtueMart 2.0. All their payment notifications will go through Joomla!'s main index.php files.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 11 June 2011 10:59 CDT

mneese
thank you. I have made the change and will monitor the logs to see if that allows paypal to update purchase information...

If and when virutemart releases v2, is this going to be easy upgrade path, do you have any idea.
Thanks for the help...

Saturday, 11 June 2011 11:52 CDT

nicholas
You're welcome! Please let me know how it goes.

Regarding VM2, as far as I know an automatic migration of your data is going to be supplied. However, since the code is completely different, every customization you may have done in VM's pages as well as most mods (which require you to modify core files) won't work and have to be rewritten in a way compatible with the new system. This is just what I understood based on a chat I had with Max. You can ask on their forum for more information :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 June 2011 05:02 CDT

user39777
Hi Niko,

I have a similar problem regarding PayPal payments with Virtuemart.
I use PayPal Legacy to proccess the payment. When the user hits the PayPal button to return to my site he gets a 403 page stating a bad behavior and the security log shows an entry for my IP (I am the testing user). The url is:

https://www.mysite.gr/index.php?option=com_virtuemart&page=checkout.result&order_id=43
and the security log entry is:
-------------------------------------------------------------------------------
Blocking reason: badbehaviour
-------------------------------------------------------------------------------
Date/time : 2011-06-13 08:36:55 GMT
URL : https://www.mysite.gr/index.php?option=com_virtuemart&page=checkout.result&order_id=43
User : Me_the_user
IP : my_ip
Country : GR
Continent :
UA : Mozilla/5.0 (Windows; U; Windows NT 6.0; el; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0E)
Bad Behavior error code : cd361abb
Technical help URL: http://www.ioerror.us/bb2-support-key?key=cd361abb

Now, at first I thought that the problem was the CSRF/Anti-spam form protection (according to the error code) and set it to NO but at the next transaction I had the same problem.
I fill bad allready that i had to disable that security setting and now I Have to test all of them to see which is the cause of my problem.
I would like your help on this Niko, please. Which setting do you think is responsible. Is there a workaround so I can keep my site safe and complete payments too?
Please note that I have a similar problem with a Eurobank ProxyPay module, but this time with htaccess frontend protection (I suspect direct access to a php script).

Thanks.

Monday, 13 June 2011 05:09 CDT

nicholas
Go to Components, Admin Tools, Web Application Firewall, WAF Configuration. Find the "Bad Behaviour Integration" checkbox and clear it. Save and the issue should go away.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 June 2011 05:42 CDT

user39777
Nichola, thank you for your prompt answer.
I have made the change that you advised me to and now is working smoothly.
I see now (after some testing) that both settings must be off - CSRF AND bad behavior - along with virtuemart's notify script exception at htaccess. Am I in the right track?
Also I would like your opinion on how downgraded is the security of my site now, with these options disabled.

Thank you again for your help.

Monday, 13 June 2011 06:04 CDT

nicholas
Yes, you are on the right track :)

The CSRF and Bad Behaviour options are "paranoid mode" security measures. There's no real degradation of your site's security when not using them.

Regarding VirtueMart's exception, I consider it a necessary evil. You are basically opening a backdoor to your site, as you have a script directly accessible over the web which does not go through Joomla! for sanitation and security monitoring. If there's a vulnerability in this part of VirtueMart, you are a sitting duck. This has happened in the past. Unfortunately, there are no realistic workarounds except for waiting for VirtueMart 2.0 which is supposed to solve this issue once and for all.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 June 2011 06:29 CDT

user39777
Nichola,

Thank you for your help so far.
As for the necessary evil... multiply that with 1-2 scripts per payment method and you have plenty of ducks:)

Thank you again.

Monday, 13 June 2011 06:31 CDT

nicholas
I know :) That's why I am not using VirtueMart on my own sites. Granted, it's the only free e-shop system. If you value your security, you may want to take a look at redSHOP (it's similar in concept to VirtueMart) or Tienda (it's much more powerful but can also get a lot anal while setting it up).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 June 2011 11:51 CDT

mneese
One more question...when you mention the "virtuemart exception" in the htaccess file exceptions..is this specifically the files
"components/com_virtuemart/fetchscript.php....
administrator/components/com_extplorer/fetchscript.php"

And is that the only virtuemart file exceptions needed...is that a backend or frontend directive or both?

What am I losing if I leave the front-end off but have the backend on?

Monday, 13 June 2011 11:58 CDT

nicholas
That's the one exception. The other exception is administrator/components/com_virtuemart/notify.php for PayPal's IPN to work with VirtueMart. Since they are located in the back-end (the administrator directory) leaving the back-end protection on will still block them.

If you turn either the back-end or front-end protection off, it means that an ambitious hacker will most likely be able to access files he should not, like your extensions' XML manifests file, your translation INI files etc. This would allow a hacker to identify the versions of the software running on your site or even exploit some vulnerability in one of your extensions' PHP files. It's generally prudent to have these protections turned on and add exceptions on an as-needed basis.

Think of it like that: is it better to leave all doors open and close those that have already been used by wrongdoers to come in the building or keep them all locked except a few tightly controlled ones?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 14 June 2011 11:48 CDT

mneese
I hav listed this file exception, but can't find this directory...is this a default and if so is this a typo...

administrator/components/com_extplorer/fetchscript.php

I am questioning the spelling of "com_extplorer"

Tuesday, 14 June 2011 16:37 CDT

nicholas
That's a default rule and refers to the popular eXtplorer file manager component for Joomla!. It's there because many people use it and were complaining that using .htaccess Maker would break eXtplorer.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!