Support

Admin Tools

#26809 MUA Shield blocking Simple Pie requests

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 28 January 2017 17:17 CST

carcam
 I managed a site which is in a sensitive position and we have strengthed the security these days. Now we are actually checking all security exceptions carefully to be sure we do not block good behaviour and we have noticed the MUA Shield is blocking this APACHE request:

USER IP - - [28/Dec/2016:04:26:57 +0100] “GET /es/?format=feed&type=rss HTTP/1.1” 500 353 “http://www.SITEURL.com/es/?format=feed&type=rss“ “SimplePie/1.4-beta (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20160411220540”

I thin this comes from a non-malicious request from the PHP RSS feed Simple Pie: http://simplepie.org and that the url (or something in the agent string) is making the MUA Shield to think this is a malicious attack.

Can you please check if this is the case?

Best!!

tampe125
Akeeba Staff
Hello,

yes, the Malicious User Agent blocks every request that contains SimplePie as User Agent.
This is required since on previous version of Joomla (3.4.4, if I remember correctly), it was used to trigger a vulnerability on affected sites. You can find more info here.
If you are running the latest version of Joomla, you can disable such feature since your site is not vulnerable.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

carcam
Hi Davide,
thank you very much for your reply!

I use the latest release of Joomla! on that site and I'm not a security guru, but according to the description provided in the docs I do want to have MUAShield enabled:

Malicious User Agent block (MUAShield)



Many hackers will try to access your site using a browser configured to send malicious PHP code in its user agent string (a small piece of text used to describe the browser to your server). The idea is that buggy log processing software will parse it and allow the hacker to gain control of your website. When enabled, this feature allows Admin Tools to detect such attacks and block the request.



I just want it to not block Simple Pie agent if no sign of PHP is in the User Agent, is that possible?

nicholas
Akeeba Staff
Manager
You can safely disable the entire feature. The attack target of malicious user agents containing a PHP tag is not Joomla itself, it's very old versions of web statistics parsers like Awstats. More than half a decade ago they had some issues with parsing user agents which could allow code execution when you viewed the compiled statistics page. These issues have long been fixed.

The other issue the MUAShield is protecting you is what Davide explained. Unfortunately due to the way this attack works the only reliable bit of information in one of the two attack patterns is the SimplePie signature. If you want your site to be accessible by SimplePie you will have to disable the MUAShield protection altogether. As long as you have a server with stats software updated any time after 2013 (if not, change hosts!) and Joomla! 3.5 or later (if not, upgrade the site!) you're fine without it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

carcam
Hi Nicholas,
thank you very much for your great explanation!!. That makes it perfectly clear. I will disable it then.

Thanks!!!

tampe125
Akeeba Staff
You're welcome!

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!