Support

Admin Tools

#25866 Admintools :

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 10 September 2016 17:20 CDT

Tuesday, 09 August 2016 16:29 CDT

Hableur
 Hello,

I have a problem with Web Application Firewall. Allow administrator access only to IPs in Whitelist is set to 'no' (non in French) but admin tools works like it was set to 'yes'. When I try to connect to administrator folder with an other IP than mine, I am redirected throught frontoffice page.

Have I forgotten something ?

Sincerely

Tuesday, 09 August 2016 16:36 CDT

dlb
Two other things will do that:
  1. In Configure WAF, on the first tab, if there is a value in the Administrator secret URL parameter field, you need to call your administrator login page with www.mysite.com/administrator/index.php?secret
  2. The second thing that will do it is the Away schedule in the field directly below that one


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 10 August 2016 05:30 CDT

Hableur
Thanks a lot. So if I had well understood, if I let Administrator secret URL parameter field empty this behaviour doesn't append ?

Other question, perhaps an other ticket ?

I authorized via admintools htaccess acces to a php file which is at the root of the site, myfile.php.

The problem is that get variables which are in the URL (like http://mysite/myfile.php?myvariable=value) seem not to be passed to the file, but filtered by htaccess.

Sincerely

Wednesday, 10 August 2016 09:12 CDT

dlb
That is correct, if the field is blank, you do not have to pass the parameter to log in. The feature would be disabled. It is a pretty good security feature, the bad guys can't brute force your admin user and password if they can't find the login screen. It is fairly transparent tot he user, you just put it in your bookmarks with the parameter.

We should let the parameters be passed along. Please save your current .htaccess file and use the htaccess.txt file instead. That is the standard Joomla! .htaccess file. We use that one as a "known good" file for testing things like this. Does your php file work with Joomla!'s .htaccess file?


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 10 August 2016 15:07 CDT

Hableur
Thanks,

about .htaccess, It's just what I did this morning, to let my site work. And it works.

Sincerely

Wednesday, 10 August 2016 22:41 CDT

nicholas
When you allow direct access to a .php file you are only letting the file run i.e. not get blocked by the front-end or back-end protection. The other options of the .htaccess Maker still apply to this file.

For what is worth, SIMPLE options like myOption=myValue are NOT blocked. However, if you would try something which is a file path it would be blocked by "Protect against common file injection attacks". If you use a complex hash which is similar to PHP's easter eggs then the "Disable PHP Easter Eggs" feature would prevent it from running. Likewise, if you have enabled "Block access from specific user agents" and you're using one of the user agents listed in "User agents to block, one per line" in whatever tries to access that PHP script then you will also get blocked.

Try disabling some of these options to see what is actually blocking you and then think why the user agent string of the client trying to access the file and/or the parameters you are sending in GET or POST are triggering one of the protections you have enabled in .htaccess Maker.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 10 September 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-09-10 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!