Support

Admin Tools

#35916 User blocked in backend using com_invoice

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by BigStef on Sunday, 03 October 2021 13:54 CDT

Saturday, 02 October 2021 08:30 CDT

BigStef

Hi,
I gave access to a manager on backend who have to work with Invoice manager from https://www.joomlathat.com
Regulary, that person is blocked by Admintools.
I cannot choose the "Never block these IPs" options as she often has a different IP.
But I have added this user in the "Protected users" of the "Configure WAF".
I have also added in the " WAF Exceptions" :

  • Component : com_invoices
    View : all
    Query parameter : all

But this user is still regular blocked.
Here's an example of the query blocked (seen in the "Blocked Request Log") :

  • 2021-09-08 13:47:50 EDT
    208.114.129.112
    Admin Query String
    https://mydomain.com/administrator/index.php?option=com_invoices&controller=invoices&task=load_items&limitstart=0&status_id=&filter_currency_id=0&cal_start=&cal_end=&filter_order=i.id&filter_order_Dir=DESC&type=1&keywords=rque&_=1631120633191

Or another one is :

  • 2021-09-08 12:05:09 EDT
    208.114.129.112
    Admin Query String
    https://mydomain.com/administrator/index.php?option=com_invoices&controller=invoices&task=load_items&limitstart=0&status_id=&filter_currency_id=0&cal_start=&cal_end=&filter_order=i.id&filter_order_Dir=DESC&type=1&keywords=l&_=1631115256794

I need your advice so this user will not be blocked again, using com_invoice on backend.
Is there any solution for that ?

Thanks in advance for any advice.

Stephan Herby PAO Production New Caledonia - Canada - France

Sunday, 03 October 2021 13:39 CDT

nicholas

The Web Application Firewall does not block backend (administrator) requests, therefore the WAF Exceptions page has no effect. It will only block users based on the IP exclusive allow / deny lists and apply very few backend features such as disabling the creation/editing of backend users, monitoring Super Users and critical files and of course enforcing the secret URL parameter.

As you can see in your blocked requests log the reason the request was blocked is that you were not logged into your backend and did not provide the secret URL parameter either.

If this backend URL is presented to your users in the frontend of the site then STOP USING THAT INVOICING EXTENSION, IT HAS A FATAL SECURITY FLAW. A frontend extension must never, EVER provide a backend URL. The administrator application is off–limits to frontend users. While you could disable the secret URL parameter I would recommend against it because the problem is not that the protection doesn't work, the problem is that the protection does work and is triggered by something anomalous therefore the root cause is the extension that is causing the anomalous request.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 03 October 2021 13:48 CDT

BigStef

Hi Nicholas,

thank you very much for your answer.

Actually what I do not understand is that the user is logged IN backend. SO there's no Backend URL in the Frontend (ouf :). That's where admintools blocked her. And I have to erase her IP from each time she's blocked in Admintools. But everything happen in Backend (hope you understand what I mean).

Any advice ?

Stephan Herby PAO Production New Caledonia - Canada - France

Sunday, 03 October 2021 13:53 CDT

nicholas

Okay, that's good for the 3PD extension :)

I can also tell you what happened.

Her session expired.

Either set the session expiration time higher (in Global Configuration) or try to explain to the user that they need to load a page in the backend every X minutes to avoid this happening to them.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 03 October 2021 13:54 CDT

BigStef

Haha OK as simple !

I will have a discussion with her then...

Thanks for your time.

Stephan Herby PAO Production New Caledonia - Canada - France

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!