10 years ago
6
Topic
Hi
I couldn't call up the positions template preview when creating forms - just kept getting a 403 error message.
After experiments, I discovered that the .htaccess generated by AdminTools from Akeeba was causing the problems. I raised this in the forums of Akeeba and eventually discovered that the problem was the section in .htaccess which is to protect against file injection :
##### File injection protection -- BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
##### File injection protection -- END
This specifically stops "GET" as a method, and should apparently not be used as it is one of the most popular hacking method.
The comment from Nicholas at Akeeba is that full URL as a query string parameter should not be used anymore.
The ticket can be read here : #18457 – .htaccess and seblod
I am passing this on to you as input.
Regards
David
I couldn't call up the positions template preview when creating forms - just kept getting a 403 error message.
After experiments, I discovered that the .htaccess generated by AdminTools from Akeeba was causing the problems. I raised this in the forums of Akeeba and eventually discovered that the problem was the section in .htaccess which is to protect against file injection :
##### File injection protection -- BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
##### File injection protection -- END
This specifically stops "GET" as a method, and should apparently not be used as it is one of the most popular hacking method.
The comment from Nicholas at Akeeba is that full URL as a query string parameter should not be used anymore.
The ticket can be read here : #18457 – .htaccess and seblod
I am passing this on to you as input.
Regards
David
43 Posts
10 years ago
0
Level 1
Thanks for the tip.
We found admin tools puts a lot of htaccess rules which cause issues with sites. Its best to do this by hand, if you know what you are doing...
We found admin tools puts a lot of htaccess rules which cause issues with sites. Its best to do this by hand, if you know what you are doing...
10 years ago
4
Level 1
Does Admin Tools interfere with other Seblod functions other than the positions preview? I am investigating using Seblod for a large project and planned on using various Akeeba utilities.
Thanks!
Thanks!
10 years ago
3
Level 2
Not that I'm aware of. The issue with the "Get" function, however, is not solved to my knowledeg. It may be worth looking at the admintools forum as well.
4229 Posts
10 years ago
2
Level 3
Hi,
I would suggest you protect your administrator area with htaccess password (http://httpd.apache.org/docs/2.2/howto/auth.html ) and disable admintools for administration completely, such rules are hard to set properly to work with administrative functions.
I would suggest you protect your administrator area with htaccess password (http://httpd.apache.org/docs/2.2/howto/auth.html ) and disable admintools for administration completely, such rules are hard to set properly to work with administrative functions.
10 years ago
0
Level 4
Thanks guys!
8 years ago
0
Level 4
Admin Tools protects against a lot of things in the front end too. The last few Joomla! vulnerabilities were protected by Admin Tools.