Support

Admin Tools

#10062 Can't edit article from front end - blocked by XSSShield

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 10 November 2011 03:59 CST

Saturday, 15 October 2011 04:52 CDT

elau24
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the forum before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: 1.5.23
PHP version: 5.2.16
MySQL version: 5.0.92-community-log
Host:
Admin Tools version: 2.1.10 Pro


Description of my issue:
Frontend article editing is blocked by XSS Shield. I did a little digging and it's in function looksLikeXSS at 2. Partial standard character entities. The 2 vars don't match:

str = http://mydomain.com/index.php?option=com_content&view=article&id=56&Itemid=84

test = http://mydomain.com/index.php?option=com_content&view;=article&id;=56&Itemid;=84

Thanks for your help. This has never been a problem before. My ISP has recently made changes to their firewall and probably other stuff too. Dunno if it has anything to do with this.

On another note, last time I updated AdminTools Pro, I could no longer use the regular install with Akeebabackup. Had to switch back to standard install. Maybe due to changes on the ISP side?

Saturday, 15 October 2011 14:43 CDT

nicholas
For now you'll have to disable the XSSShield feature in Admin Tools until I can take a good look at it.

Regarding the installation problems, it looks like some changes in your hosting side are causing this. Just disable the "System - System Restore Point" plugin so that you can use the regular Joomla! extensions installer.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 16 October 2011 15:52 CDT

user44967
I cannot edit article from both front and back ends. I disabled xssshield, but the problem remains

Sunday, 16 October 2011 17:32 CDT

user44967
To update,

My case is related to mod_security module, rather than admin tool

Monday, 17 October 2011 02:55 CDT

nicholas
Out of curiosity, what exactly in mod_security was causing this issue? I've never seen that and I have two hosts who are using mod_security for some of my live sites.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 17 October 2011 04:48 CDT

user44967
The excerpt from modsec_audit.log is as following:

I didn't figure out how to work out. Any suggestion? Though, I know it's out of your business:-)

--1633c831-H--
Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Message: Pattern match "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\ Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Pattern match "(?:union\s*(?:all|distinct|[(!@]*)?\s*[[]*\s*select)|(?:\w+\s+like\s+")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\ ..." at ARGS:text.[file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "156"] [id "900045"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\x22>co-r"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match "(?:"+.*[<=]\s*"[^"]+")|(?:"\w+\s*=)|(?:>\w=\/)|(?:#.+\)["\s]*>)|(?:"\s*(?:src|style|on\w+)\s*=\s*")|(?:[^"]?"[,;\s]+\w*[[\(])" at ARGS:text. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "186"] [id "90002"] [msg "finds attribute breaking injections including whitespace attacks"] [data "\x22line-height: 15px; \x22 mce_style=\x22line-height: 15px; \x22>co-recipient of best paper award at ieee ecoc 2011</span></li> <li><span style=\x22line-height: 15px; \x22 mce_style=\x22line-height: 15px; \x22>major contributor and co-author of ieee ofc 2008 post-deadline paper</span></li> <li><span style=\x22line-height: 15px;\x22 mce_style=\x22line-height: 15px;\x22>major contributor and co-author of ieee ecoc 2007 post-deadline paper</span></li> <li><span style=\x22line-height: 15px;\x22 mce_style=\x..."] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"]
Message: Pattern match "(?:"[^"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>")" at ARGS:text. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "196"] [id "90001"] [msg "finds html breaking injections including whitespace attacks"] [data "\x22line-height: 15px; \x22>"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"]
Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:text. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "555"] [id "973300"] [rev "2.0.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<div>"]
Message: Pattern match "\bstyle\b\W*?=" at ARGS:text. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_xss_attacks.conf"] [line "613"] [id "973306"] [rev "2.0.5"] [msg "XSS Attack Detected"] [data "style="]
Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Rule execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 59): XSS Attack Detected"]
Action: Intercepted (phase 2)
Stopwatch: 1318801666100331 151941 (59484* 151305 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.
Server: Apache

--1633c831-Z--

Monday, 17 October 2011 05:05 CDT

slaes
my 2 cents.

ive tested and played with tons of mod sec rule sets. IMHO, http://www.gotroot.com/Welcome wins hands down. least amount of false positives and most comprehensive.

If you dont have access to command, id would suggest, http://configserver.com/cp/cmc.html

its free and from the same company as csf (which most good hosts use)

adding mod sec exceptions per domain or otherwise, is no more than point and click.

hope that helps

Monday, 17 October 2011 05:19 CDT

user44967
Thank you very much. This is what I was after, a baseline or intuitive mod_security configuration guide. I will try it out, thanks.

Monday, 17 October 2011 05:27 CDT

slaes
no worries. It's great and tails live logs (unlike the default mod_sec plugin), which makes it easy to watch / add exceptions. It does need some config, but its easy. i highly recommend the atomic free rules (or live feed if u can) mod sec without good rules is useless. i wrote some rules for phpbb (i know what your thinking, niko, you dont need to tell me, lol, now your rolling your eyes, lol) which basically reduced forum spam on about a dozen sites from thousands a day to basically zero. good luck

Monday, 17 October 2011 05:31 CDT

user44967
Thank you for sharing your valuable experience.

Monday, 17 October 2011 05:34 CDT

slaes
anytime mate. were all here to help each other

Monday, 17 October 2011 05:46 CDT

nicholas
Hi Slaes, nice tip, mate! I knew where to find some good mod_security rules, but I didn't know you could have a rule updater too :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 02:09 CDT

slaes
thanks mate.


BTW, nice find with 1524, they finally listened? lol. i knew something was going down, but i couldnt put my finger on it. funny how these things are always watered down as not so serious, lol. for good reason i guess

Tuesday, 18 October 2011 04:01 CDT

nicholas
Well, the actual hack to decode the cookie without knowing the site's secret key was discovered by Jeff Channell, it's very obscure and required a vulnerable version of PHP and a vulnerable extension to be installed. But the fact remains that if someone gets hold of your cookie (trivial, in an era of WEP-(un)protected Wi-Fi) and your site's secret key he could have one hell of a party on your site :D And then people call me paranoid when I preach locking down everything. Just because you're paranoid doesn't mean they're not after you, as Curt Cobain would put it ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2011 04:13 CDT

slaes
all i can say is remain paranoid, lol. I feel like head butting people when they tell me im paranoid or "all the security is a PITA" blah blah. Man, does it give me the sh$$s.

Tuesday, 18 October 2011 04:18 CDT

nicholas
I know of a few guys and gals who used to say that. When their sites were hacked, content deleted and had to start over they realised the harsh reality. They're like the advocates for the non-use of a seatbelt. You know how their leader died? In a car crash, because he wasn't wearing a seatbelt. The other two people in that SUV got out with minor injuries. They were wearing a seatbelt. I think that should tell people something important: when it comes to safety and security, don't take your chances ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 10 November 2011 03:36 CST

elau24
The problem with XSS Shield blocking frontend editing disappears after I upgrade to AdminTools Pro 2.1.11. Strange. Maybe something was corrupt before.

Thursday, 10 November 2011 03:59 CST

nicholas
If you had a problem using JCE editor in the front-end then, yes, 2.1.11 added a JCE-specific exception ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!