Support

Admin Tools

#42952 Yootheme builder

Posted in ‘Admin Tools for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
6.1
PHP version
8.4
Admin Tools version
7.8.8

Latest post by moira on Tuesday, 19 May 2026 00:16 CDT

Monday, 18 May 2026 12:06 CDT

lewax

Hi.

I use admin tools and yootheme on joomla sites from long time. Few years ago was a DFIshield problem with frontend editor but was solved by disabling "Block template=foo site template switch". This still works with joomla 5 but with joomla 6.1 the problem is back.

Here is a DFIShield log example:

https://mydomain.com/component/ajax/?p=customizer&templateStyle=9&format=html&site=/&return=/?view%3Dform%26layout%3Dedit%26a_id%3D5%26return%3DaHR0cHM6Ly9qY3JvaC5jaC9pbmRleC5waHA%3D&section=builder

If i disable DFIShield, i can use the builder in frontend

I already tried solutions found on this support site (WAF exceptions) without success. I don't know how to solve this problem.

Thanks in advance for your help

Best regards

 

Tuesday, 19 May 2026 00:16 CDT

moira

The YooTheme frontend builder sends AJAX requests to Joomla's Ajax Interface component (com_ajax) with a site parameter (containing a path like /) and a return parameter (containing a URL). Admin Tools' DFIShield interprets these as potential directory/file inclusion attempts and blocks them.

The solution is to add two WAF Exceptions in Admin Tools Professional so that DFIShield skips its checks on these specific parameters for com_ajax requests.

Go to Components → Admin Tools → Configure WAF → WAF Exceptions.

Click + New in the toolbar and fill in:

  • Component: Ajax Interface
  • View Name: leave empty
  • Query Parameter: site

Click Save & Close.

Click + New again and fill in:

  • Component: Ajax Interface
  • View Name: leave empty
  • Query Parameter: return

Click Save & Close.

With both exceptions in place, the YooTheme frontend builder should work without triggering DFIShield. If it is still blocked after adding these exceptions, please check the Security Exceptions Log (Components → Admin Tools → Security Exceptions Log) for the most recent blocked request and let us know what protection is listed there.

Moira Fari

Support Specialist

🇬🇧English: native 🕐 My time zone is Asia / Nicosia
Kindly note that my replies are fully vetted by our developers.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!