Support

Admin Tools

#30793 CSRFShield advanced setting blocks mod_search and mod_finder

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 16 February 2019 17:17 CST

Wednesday, 16 January 2019 08:26 CST

mmaass
Hi,

with the Web Application Firewall CSRFShield setting to 'advanced' the search modules 'mod_search' and 'mod_finder' don't work anymore. The form can not be submitted anymore.

When using the 'basic' setting or disabling the feature the search modules will work again. Can you please explain why this happens?
I can not find any information about this in the documentation.


Regards

Wednesday, 16 January 2019 08:47 CST

mmaass
Joomla 3.9.2
PHP 7.2
Admin Tools Pro 5.2.1

Thursday, 17 January 2019 02:56 CST

tampe125
Hello,

I just made some quick tests with the mod_search module and everything seems to be working fine.
Did you modified the layout for such modules in any way?
When you set it to Advanced, do you find a security exception inside the logs?
The Advanced method injects a field inside the form that's invisible to regular users; spam bots will try to fill it and in that case Admin Tools will block the request.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 17 January 2019 03:14 CST

mmaass
Hi Davide,

no, there are no overrides or modifications for the "mod_search". I particularly tested that because we had problems with an override and thought it was introduced there. But it wasn't.

I forgot to mention that the problem shows when the module is set to Search Buttons > No, where the confirmation of the entry is supposed to trigger the search.

Try the following:

- Select Components > Admin Tools > Security > Web Application Firewall > Configure WAF > Request Filtering > CSRF/Anti-spam form protection (CSRFShield) > Advanced and save the changes.

- Set Extensions > Templates > Protostar > Default.

- Create a new module of the type "Search" and publish it in the position "Right [position-7]".

- Important: Set Search Buttons > No.

Save the changes, reload the page in the frontend, enter a search phrase, and hit Enter or Return.

When I did that nothing happened.

Somehow the injected hidden field seems to break that feature.

Thank you

Thursday, 17 January 2019 04:13 CST

tampe125
Ok, I was able to replicate it.
It seems that Joomla relies on some default browser behavior to submit the form, adding a new field blocks it.

CSRF protection is not always available for every form, I guess the only solution is to enable the button or set the protection level to basic.

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 16 February 2019 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!