Support

Admin Tools

#23750 Admin Tools blocks Kunena posting if message contains MySQL code

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 25 December 2015 17:20 CST

baijianpeng
 I tried to post a message on my Kunena forum, that message text contains a piece of MySQL code. Then after I click the "submit" button of Kunena, I got following error:

Error: 403 - This request is blocked by Admin Tools. Please change this message in the component's options.


It seems that Admin Tools refuse MySQL code submissions to ensure safety. But I do need to paste MySQL code in forum posts to give answers for those topics.

How and where can I configure Admin Tools to stop blocking these code? At least, allow Admin user to do this? (I was logged in as Admin when I posting that message).

Thank you.

nicholas
Akeeba Staff
Manager
This is exactly what the SQLiShield protection in Admin Tools is supposed to do: block any request with a query value containing what appears to be SQL code. My suggestion is to put your SQL code in a .txt file and attach it to your ticket reply.

The other alternative is to create a WAF Exception for Kunena. If you can find out what is the field name being posted by Kunena I can tell you exactly how to do it. Please note that if at some point in the future Kunena is found to have a SQL injection vulnerability which involves this field you will not be protected.

Finally there's the nuclear option, disable SQLiShield altogether. Please note that by doing so you are no longer protected against SQL injection attacks.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

baijianpeng
hi, I would like to create a WAF Exception for Kunena.

But I don't know how to.

What do you mean by "find out what is the field name being posted by Kunena"? Do you mean the database table prefix ? Or the database column name of Kunena?

If not , then what is it and where I can find it?

Thank you.

nicholas
Akeeba Staff
Manager
Go to Admin Tools, Web Application Firewall, WAF Exceptions and click on the green New button in the toolbar. Enter the following:
Component: leave this blank
View: topic
Query Parameter: message
Click on Save & Close

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

baijianpeng
Hi,

Thank you for your help.

Why leave the "Component" field blank?

Can I just input "com_kunena" for Component field to make it specific to Kunena forum?

Thank you.

tampe125
Akeeba Staff
Hello,

Nicholas is currently out of office, so I'm taking this ticket.
Please try using com_kunena for the component option. If it's not working, please try leaving such field blank, that should do the trick.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!