Support

Admin Tools

#23578 false SQLi Shield block?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 28 November 2015 17:20 CST

Tuesday, 27 October 2015 18:35 CDT

bobhembree
 I run a membership site and a member began having problems posting in Kunena. Admin tools showed his Brazilian IP as a SQLi violation. I talked with him and he uses a Mac with Firefox browser. Another member had the same problem today who I suspect also uses a Mac. This is all new, I've never had this problem reported before. It all began within the last couple days, and it's probably happening to others who haven't reported it yet.
Recent changes I've made on the site were the Akeeba updates (admin and backup) and I installed JChatSocial for the first time to replace Comet Chat. I had JChatSocial integrating with Kunena, then turned that plugin off in case it was related to the problem.
Any ideas of what I can do or check for?

All my best,
Bob Hembree
writersvillage.com

Wednesday, 28 October 2015 02:29 CDT

tampe125
Hello Bob,

in the Exception log you should see the blocked URL, could you please paste it here?

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 October 2015 05:05 CDT

bobhembree
https://writersvillage.com/members/forum

I also received this message from the member since last night:

Hi Bob,



I finally got it to work. I had to retype my post directly into the message window, but it worked. I think there must have been something wrong with the text I was trying to copy from my word processor and paste into the message window. It is a little strange. I usually type in a word processor and paste into the window and it always worked before. I tried again with a different piece of text and that worked fine. So, it was just this specific piece of text that I couldn't paste into the window. Not sure why. I'll try to figure out what I did and let you know.



Thanks!
Edited by bobhembree on 2015-10-28 05:08 CDT

Wednesday, 28 October 2015 05:35 CDT

tampe125
I suppose you have an editor in your forum, right?
Sadly when posting data from a word processor (ie Microsoft Office Word) it carries all the markup, usually in the form of XML entities. I suspect such code style triggered the security exception.
The only solution is to avoid copy/pasting from word processors, since they will include a lot of cruft

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 October 2015 05:53 CDT

bobhembree
This a writer community, so thousands of posts are copied and pasted from words processors..It seems a handful of Mac users have the most problems with this. I've pasted from Word (PC) almost daily for many years and never had a problem.
What has me scratching my head is these same highly-active members hadn't had this problem until the last few days. Something changed.
I'll see what else I can learn about the differences between Mac and PC copy and paste.
Thanks.

Wednesday, 28 October 2015 06:19 CDT

tampe125
We tightened the SQL injection rules, that's why you are getting some false positives.
Could you please attach the text of a blocked post? I'd need the raw text, containing the markup style.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 October 2015 07:16 CDT

bobhembree
I'm not exactly sure how to get the raw text second hand. Should I get the original document as an attachment, have it pasted in an email or put the users IP on a temporary do not block list and ask him to try to post on the forum?. I'm afraid copying and pasting will strip the formating.
Edited by bobhembree on 2015-10-28 07:18 CDT

Wednesday, 28 October 2015 08:22 CDT

tampe125
Try to whitelist the user IP and ask him to post in the forum.
Then you'll have to see the HTML code of that text, paste inside a document, zip it and attach it here (otherwise it will trigger security exceptions)

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 October 2015 10:54 CDT

bobhembree
After putting user's IP on the whitelist, he was able to post, duplicating what he had done to get the 403 error previously. In edit mode, all that's visible is basic BBcode for italics. There is one potential sequence of characters that might be worth looking at. I've highlighted it in the screenshot..
I remember a few years ago I had trouble posting something. It had something to do with the word/punctuation combination.

Wednesday, 28 October 2015 11:22 CDT

tampe125
Could you please attach the whole text, so I can test it?

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 October 2015 11:26 CDT

bobhembree
Attached is the text requested..

Thursday, 29 October 2015 04:43 CDT

tampe125
It seems this is a false positive. The words INSERT IN TO (I had to write them separated or I would trigger the same exception here) are raising Admin Tools SQL shield.
I'll try to find a workaround for that.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 October 2015 05:06 CDT

tampe125
The only option is to create a WAF exception: in this way you will be turning off Admin Tools WAF only for a specific component/view

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 October 2015 05:53 CDT

bobhembree
Forum access is only available to logged on members, so this may work for us.
I want to make sure I understand this correctly.
To prevent false positives on Kunena forum posts, I create a New WAF Exception and enter "com_kunena" into the Component text box, then save?

Thursday, 29 October 2015 06:00 CDT

tampe125
Yes, that's right.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 28 November 2015 17:20 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2015-11-28 17:20 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!