Support

Admin Tools

#20718 Security Exceptions Issue

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 03 October 2014 17:20 CDT

Tuesday, 12 August 2014 18:44 CDT

lightstyle
 Hello team,

Over the last 2 weeks Admin Tools firewall has been locking me out a lot and via different pages. It has even been doing it with IP added to the IP Whitelist!

A few examples from the Security Exceptions Log, all with reason Admin Query String:

/administrator/index.php?option=com_content&view=article&layout=edit&id=86
/administrator/index.php?option=com_content&view=articles
/administrator/index.php?option=com_acymailing&ctrl=list
/administrator/index.php?option=com_acymailing&ctrl=newsletter
/administrator/
/administrator/index.php
/administrator/index.php?option=com_admintools&view=waf
/administrator/index.php?option=com_admintools&view=logs

Any suggestions?

Thanks,
Andre

Wednesday, 13 August 2014 02:00 CDT

tampe125
Hello Andre,

after how many security exceptions are you banning an user?
Please remember that if you are using a secret param to connect to your site, when you logout or your session expires you will trigger a security exception.
This is supposed to happen, since Joomla destroys the session (where we store the info that you entered the correct secret param) and then performs a redirect to the administrative page, without the secret param.

Regarding the WhiteList, are you sure your IP is not changed? Did you enabled the WhiteList feature inside the WAF config page?

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 13 August 2014 20:18 CDT

lightstyle
Hi mate,

Banning a user after 3 attacks in 10 minutes. Have increased to 5 in 15 min. Reckon it's good?

I am using a secret param but Admin Tools triggers a security exception while I'm logged and using the backend

I'm sure my IP has not changed. Do you mean setting Configure WAF >> Basic Protection Features >> Allow administrator access only to IPs in Whitelist to YES? If that's what you mean, I have set as NO due to the fact that one of our super admin uses dynamic IP....

What puzzles me is the fact that WAF had been running for weeks without any issues and all of a sudden it started kicking me out...

As an example, right now while configuring WAF, Admin Tools has thrown the following Security Exceptions Log;

/administrator/index.php?option=com_admintools&view=wafconfig
/administrator/index.php?option=com_admintools&view=waf

Quite lost here really.

Thursday, 14 August 2014 01:51 CDT

tampe125
I suspect there is a system plugin that is triggering security exceptions.
Can you please try to disable all non-core system plugins one by one until the security exception disappears?

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 14 August 2014 04:27 CDT

lightstyle
mmm, that would be a nearly impossible mission and too much of a vague approach.

1 - the main site in question is huge, full featured and belongs to an event that is at boiling point with ticket sales, blog posts, newsletters and etc

2 - the issue is not happening on a single website/domain. i can name at least 3 recent site, with joomla 2.5.x and 3.3.x, with different components and plugins

3 - if security exceptions are being triggered by all sorts of components, including com_admintools

4 - it would take forever as I'd have to disable a plugin, perform random actions on the site, wait and check for exceptions, enable plugin and back to square one...

Thursday, 14 August 2014 10:33 CDT

tampe125
I have to ping Nicholas about this issue; however at the moment he is out of office for a couple of days, so it could take a little longer to get an answer.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 14 August 2014 11:30 CDT

nicholas
#3 is an obvious falsehood. The security exceptions ARE NOT raised by Admin Tools. Its behaviour can't raise any exception. Therefore, as Davide said, it has to be a third party plugin.

Alternatively, something logs you out of your site's back-end in a very sort amount of time. This triggers security exceptions with the secret URL parameter and / or changed administrator URL features.

It would actually be easier for us to help if we had not to guess what kind of exception is raised. First go to Admin Tools, Web Application Firewall, Configure WAF. Make sure "Log security exceptions" is set to Yes; if it's not, set it to Yes and click on Save. Now try reproducing your issue. Immediately after that, please go to Admin Tools, Web Application Firewall, Security Exceptions Log. The latest log entry at the top should have the date and time of when the issue occurred. Please copy the Reason and Target URL here so that we can further help you.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 28 August 2014 22:23 CDT

lightstyle
Hello Nicholas,

I had it set for banning a user after 3 attacks in 10 minutes and have since increased to 5 in 15 min. I have just tried to generate a security exception and it didn't happen. At this stage I'm not sure if it's due to the banning settings or IP change.

Either way the info bellow was extracted from the Security Exceptions Log, all with reason Admin Query String:

/administrator/index.php?option=com_content&view=article&layout=edit&id=86
/administrator/index.php?option=com_content&view=articles
/administrator/index.php?option=com_acymailing&ctrl=list
/administrator/index.php?option=com_acymailing&ctrl=newsletter
/administrator/
/administrator/index.php
/administrator/index.php?option=com_admintools&view=waf
/administrator/index.php?option=com_admintools&view=logs

I believe this ticket can be on hold for now and if I start being kicked out again I'll touch base?

Thanks,
Andre

Friday, 29 August 2014 02:41 CDT

nicholas
Unfortunately, my guess was right. Something logs you out of your site's back-end in a very sort amount of time. This triggers security exceptions with the secret URL parameter (this is what Admin Query String means). Seeing the URLs being all over the place I can tell that it's not the fault of a specific component as it happens to pretty much any component.

The only things left to look at are:

* What is the session expiration time in your Global Configuration? Maybe you need to increase it.
* Does your Internet connection change its IP address too frequently? This could hamper your ability to stay logged in to Joomla!.
* Do you have a plugin which cleans / purges the Joomla! sessions? This could explain why you're being kicked out all the time from your site. If your session is killed you are immediately logged out. In fact that's exactly how logging out works: your session is destroyed.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 02 September 2014 18:52 CDT

lightstyle
Hi Nicholas,

I have increased the Session Lifetime to 60 minutes and will monitor how it goes. Funny thing is that I have always had it as 15 minutes and never had problems before.

No, my ISP doesn't change the IP often at all.

I use Quick Cache Cleaning http://extensions.joomla.org/extensions/core-enhancements/performance/cache/23595 but the cleaning is done manually. Again, I have been using this module forever and never had problems.

Quite a mystery really...

Thanks,
Andre

Friday, 03 October 2014 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2014-10-03 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!