Support

Admin Tools

#9914 APT 2.1 Minor Issues with Anti Leach Rules

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 26 June 2011 05:53 CDT

Saturday, 25 June 2011 23:36 CDT

slaes
Hey Nico,

Just letting you know the anti leech rule is still not quiet right. showing 403's for some js as well.

media/system/js/mootools.js
media/system/js/switcher.js
includes/js/joomla.javascript.js
media/com_admintools/images/admintools-16.png
etc

obviously will cause various minor issues, especially the js which obviously shouldn't be included.


Temp Solution to others : Don't turn Anti Leach within htaccess maker on.

Sunday, 26 June 2011 03:52 CDT

nicholas
Does this happen with Firefox? I am aware that FF does some stupid shit with the HTTP Referer header (like, forgetting to set it for all HTTPS pages) causing such issues.

Regarding the need to protect JS files, well, of course there is a need to do that :) This whole feature was devised as a counter-measure to fingerprinting scripts like BlindElephant which determine the Joomla! version by downloading and analysing static resources. If you turn off that feature, you can defend such scripts by doing something silly:
- Add a newline somewhere in the middle of the core Joomla! JS and CSS files (throws off the checksum algorithm in such fingerprinting apps)
- Recompress all core images with PNGcrush or similar (again, it throws off the checksum algorithm in such fingerprinting apps)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 26 June 2011 03:59 CDT

slaes
I tested with chrome, but a quick check with ff reveals the same. If you enable and say go to control panel --> global config, you see the resource relating to the js wont load, obviously causing some issues. I image it will do the same thing with front end editing. Let me know what you think.

Sunday, 26 June 2011 05:01 CDT

nicholas
Um... I can't replicate it here :( Can you use Chrome's Developer Tools to do some debugging which will help me? I want you to go to the Network tab, click on the file which doesn't load and click on the Headers tab. Is there a Referer property listed in the Request Headers? If yes, what does it read? Also, tell me the Request Method and Status Code printed on the very top of the Headers tab. Hopefully I will understand WTF is going on :D

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 26 June 2011 05:23 CDT

slaes
referrers are administrator/index.php?option=com_config and request methods GET with 403's.

see all file names attached.

So it wont replicate on your cpanle->global config at all?

Sunday, 26 June 2011 05:42 CDT

nicholas
OK, that's the problem. The HTTP Referer doesn't include the domain name. Since we are filtering by domain name, the check fails and the 403 is thrown. According to RFC 2616:

If the field value is a relative URI, it SHOULD be interpreted relative to the Request-URI. The URI MUST NOT include a fragment.


The problem is that a relative URI (like the one reported by Chrome) does not guarantee that the Referer doesn't just include random garbage instead of an existing resource on your site.

So, maybe I should just remove that option altogether. When I created it, almost two years ago, all browsers would send absolute URIs. Nowadays, it seems that they all send relative URIs, making this feature useless :(

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 26 June 2011 05:48 CDT

slaes
agreed man, it was handy however personally have not used it in production since 201, when i think it started showing up.

Its worth the post so at least other who experience this behavior will be able to find and action accordingly.

Sunday, 26 June 2011 05:53 CDT

nicholas
Yeap. And I am going to remove that feature from the next version of Admin Tools. It doesn't make much sense anymore.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!