Support

Admin Tools

#40267 YOOtheme front-end editing blocked

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5
PHP version
8.1
Admin Tools version
latest

Latest post by woluweb on Friday, 09 February 2024 02:42 CST

Thursday, 08 February 2024 11:08 CST

woluweb

Hi,

Admin Tools throws a 403 error when editing a Page from the front-end with YOOtheme

(last month it was not doing it I think so maybe something has changed on their side).

What should I introduced exactly as exception in the WAF knowing that the blocked url is the following?

Txs very much!

/fr/component/ajax/?p=customizer&templateStyle=12&section=builder&format=html&site=https%3A%2F%2Fbaohqn.n0c.world%2Ffr%2F&return=https%3A%2F%2Fbaohqn.n0c.world%2Ffr%2F%3Fview%3Dform%26layout%3Dedit%26a_id%3D1%26return%3DaHR0cHM6Ly9iYW9ocW4ubjBjLndvcmxkL2ZyLw%3D%3D

Friday, 09 February 2024 01:55 CST

nicholas

The problem is that they are using a full URL as a URL parameter instead of base64-encoding it first (the former is what spammers do, the latter is the One True Joomla! Way Of Doing Things).

If you do not see the blocked request in the Blocked Requests Log then it's blocked by the .htaccess file. The one thing I can think of which would block that is the .htaccess Maker's "Protect against common file injection attacks" feature.

Otherwise, tell me the Reason listed in the Blocked Requests Log page. Probably Direct File Inclusion shield (DFIShield) would block it, depending on the content of the page.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 February 2024 02:42 CST

woluweb

Txs for showing me the way.

The page was not blocked when I would simply disable all "Admin Tools" in System>Manage>Extensions, so clearly it was not caused by my ".htaccess".

So I went in the logs of Admin Tools and saw that the Reason was "template= in URL".

I switched off the "Block template=foo site template switch" in the WAF Cloaking Options... and now everything works fine :)

Txs again. I close the ticket :)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!