Released on: Thursday, 26 January 2017 18:00
Remote PHP protocol block (PHPShield).
An attacker could exploit a local file inclusion vulnerability to read the content of any file on the server using
a query string parameter which uses a PHP warpper, i.e. a URL-like format of files. For example
This attack was brought to the limelight by SANS.
The new PHPShield feature protects against this kind of attack.
Prevent the plugin from being disabled through the Manage Plugins page. If this feature is enabled and you try disabling the plugin through the Manage Plugins page of Joomla it will refuse to be disabled (unpublished) and issue a warning. This makes it harder for an attacker who has compromised your site administrator login to disable Admin Tools as long as you are also using the Master Password feature. The same can be said for curious clients who would otherwise inadvertently disable Admin Tools without your knowledge.
Email when Global Configuration and / or component Options changes take place. Whenever Admin Tools detects a change in either your site's Global Configuration or a component's Options settings it can send you an email. This serves as an early warning that a hacker, or a curious client, is modifying settings which could be potentially dangerous.
Prevent backend account creation from the frontend of the site.
On a normally operating site you should never, ever have the option of creating a user account with
administrator back-end access from the public front-end of the site. When you enable this new feature Admin Tools
will make sure that this rule is enforced as long as the component handling account creation does go through the
JUser API. To the best of our knowledge all major components, even that certain very
popular e-commerce component with a series of security issues related to account creation from the front-end of the
site they falsely attribute to non-existent Joomla bugs, use the Joomla API.
Suggest turning on Enable IP Workarounds when we see local network IPs being automatically blocked. This is a convenience feature. You often ask us whether you should enable the IP workarounds feature or not. We can not know unless you end up getting a reserved local network IP blocked repeatedly. Now Admin Tools can detect this issue and suggest you to enable IP workarounds without you having to file a support ticket to ask us.
Include the whole request in the file log while using the WAF Blacklist feature. Another convenience feature. The WAF Blacklist feature is extremely powerful but you can easily block legitimate content. This feature logs the entirety of the blocked request, allowing you to figure out what is being blocked and why.
Warning (with documentation link) when you have too many blacklisted IPs. As we have iterated many times: you are NOT supposed to permanently blacklist every single IP you see attacking. Most of these are throw-away IPs which will be assigned to a different ISP client later. IP blocking is best applied automatically and temporarily. When you have loads of blacklisted IPs you make your site slower, eat up memory for no reason and end up blocking legitimate requests. Therefore when we detect that we will issue a warning to let you know.
Bugfixes. A couple of minor things like failing to create file differences ("diffs") from the CLI version of the PHP File Change Scanner, the ordering in the Scan Results page being off and link migration being enabled despite not entering any old domains (leading to an epic failure) were addressed.
This version of Admin Tools will only work on Joomla 3.4 and later versions, maybe including the upcoming Joomla 3.7 release. At the time of this writing Joomla! 3.7 is still in the alpha stage. As such it's too early to tell if the current version of our software will be compatible with the final version of Joomla! 3.7. In case adjustments need to be made we shall release a new version of our software in due time.
We VERY STRONGLY advise you to update to the latest released version of Joomla! at all times. Admin Tools' support for older versions of Joomla! is only meant to be a temporary workaround while you're working on the update of your site.
Please note that we will only provide full support for the latest Joomla! version. Some features may not work at all in older Joomla! versions. We've thoroughly tested the security critical Web Application Firewall features against the supported versions of Joomla! as stated above and found them to be working properly.
Support for PHP 5.3 is discontinued. It's end of life since August 2014 and widely considered a security risk, unfit for production sites. Our software requires PHP 5.4 or later and is compatible with PHP 5.4, 5.5, 5.6, 7.0 and 7.1. Please note that as of January 2017 PHP 5.6 has entered the long term support phase: bugs are NOT fixed, only major security issues will be fixed. Therefore we strongly recommend using PHP 7.1.
We'd like to remind you that Joomla! 3.4 does NOT support PHP 7. PHP 7 is only supported by Joomla! 3.5.0 and later versions. Admin Tools will work perfectly fine (and very fast!) on a Joomla! 3.6 or later site running on PHP 7.1.