Support

Admin Tools

#9921 com_search tmpl= in URL problem with ajax search module

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by olaeblue on Saturday, 26 November 2011 15:56 CST

Tuesday, 28 June 2011 05:21 CDT

user11681
Mandatory information about my setup:

Have I searched the forum before posting? Yes
Have I read the Troubleshooting Wizard before posting? Yes
Have I read the documentation before posting? Yes
Joomla! version: 1.5.23
PHP version: 5.1.6
MySQL version: 5.0.77
Host: private hosting
Admin Tools Professional version: 2.0.5


Description of my issue:

Hi,
I have activated the admintools pro and I have contiosly allert mails when users use the search component in the website. In the website it's inserted an ajax module for the search, not find if it's this the problem as looking in your manuals if it's a js problem it should not work ... but for me the search work but i have always a tmp= in URL log exception
my search string is like index.php?option=com_search&tmpl=raw&type=json&ordering=&searchphrase=all&Itemid=24&searchword=test
how can I get rid of this? I tried with WAF exception but not find how to disable this error (I would not disable the control all over the search component as I like it protected from injections or other try to hack)

Thanks (and sorry for my english :) )
Michele

Tuesday, 28 June 2011 05:38 CDT

nicholas
This is very easy to accomplish, following our documentation instructions. Go to Components, Admin Tools, Web Application Firewall, Configure WAF. Find the "List of allowed tmpl= keywords". It now reads "component". Make it read "component,system,raw" (without the quotes) and Save. That should do the trick.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 28 June 2011 05:47 CDT

user11681
:)

Hi Nicholas,
befor write here I had read the docs and in my List of allowed tmp I had component,system,raw but still if user search it's reported as security exception :(

Tuesday, 28 June 2011 05:49 CDT

user11681
I tried even in WAF Exception to put com_search without any view and query (so ALL ALL) but still reported in sexurity exception

Tuesday, 28 June 2011 05:51 CDT

nicholas
Can you post a copy of the security exception email you got (remove the site name and URL) so that I can understand which protection kicks in?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 28 June 2011 06:02 CDT

user11681
I don't get anymore mails allert (sorry not writed befor) but still be registered in the Log exceptions, it's normal?
And, if yes, this will block my users if the do more than x search in x minutes (i put to Auto-ban Repeat Offenders that do more than 5 attacks in 30 minutes)

I attach a screenshot

thanks

Tuesday, 28 June 2011 06:05 CDT

nicholas
Can you please upgrade to Admin Tools 2.1.1? I can't replicate your issue using the latest published version. It could related to an old bug I have fixed quite a while ago.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 28 June 2011 07:04 CDT

user11681
Hi Nicholas,
updated to the last version.

Doing a search with standard joomla search component not give any error.

searchin using the Ajax module (mod_yoo_search) still give me the tmpl= URL exception

any idea on what I can do for get rid of this?

Thanks, Michele

Tuesday, 28 June 2011 08:18 CDT

nicholas
There was a bug in that feature. Can you please try the latest dev release? Just download the ZIP file and install it on your site, without uninstalling 2.1.1. Does it work now?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 28 June 2011 08:35 CDT

user11681
:)

Simply PERFECT!!! :)

Now all work like it should do.

Thankyou very much for you support

Michele

Tuesday, 28 June 2011 08:40 CDT

nicholas
Awesome! You're the first one to report this bug which was in there for more than two months. I guess everyone who had asked me for this feature never used it after all :D

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 29 June 2011 05:45 CDT

jgurrier
Hi,

SVN 388 did the trick for my yoo_search problem. I think that I, like others, simply disabled tmpl checking. Didn't want to anger the Greek gods with constant pestering about the issue... ;-)

Wednesday, 29 June 2011 05:52 CDT

nicholas
Bug reports are welcome and perceived as everything but pestering! I usually despair at the mundane questions which come in the form of "how do I extract a backup" or any other common question already answered in the Troubleshooting Wizard. And the reason I despair is that they distract me from effectively dealing with bug reports and legitimate questions, essentially distracting me from being able to give you guys that extra love and support that you deserve ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 16 September 2011 01:57 CDT

cas
Hi Nicholas,

I am getting a lot of exceptions from the "Block template=" switch in the WAF. They all seem to be template=(my template), so it doesn't look like a problem, but I don't see how to enter my template in the WAF to stop this exception. I don't want to turn off the Block Template switch, unless I have to. Is there any way to see what program is creating this execution?

Thanks,
Chuck

Friday, 16 September 2011 02:04 CDT

nicholas
Hi Chuck,

Right now, the only option is to enable or disable the template= protection as a whole. There is no option to allow only specific words. BUT! You can use the Web Application Firewall exceptions page to set up com_search as an exception to all filtering rules.

That said, I have never seen com_search appending the template query parameter to its URL. Is it possible that you use a third-party searchbox module which does that? It's non-standard behaviour.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 16 September 2011 02:48 CDT

cas
Hi Nicholas,

I should have been more specific, it's not coming from the com_search. It's coming from the com_mailto. The exception is:
www.mysite.com/component/mailto/?tmpl=component&template=mytemplate&link=...

Any idea why the com_mailto is creating so many exceptions? And how to stop it from happening?

Btw, I could not see how to create a new topic on your forum specific to my problem. Where is the link to create a new topic?

Thanks,
Chuck

Friday, 16 September 2011 05:31 CDT

nicholas
Hi Chuck,

Your post threw me on a wild goose chase, but I figured out what is going on. First, com_mailto DOES NOT use template=anything, it only uses tmpl=component. tmpl is a different thing to template. In order to fix that, go to your site's back-end, Components, Admin Tools, Web Application Firewall, Configure WAF and find the "List of allowed tmpl= keywords" settings. Change it so that it reads 
component,system,raw
and Save the settings.

Now, if you do see template= in the com_mailto URL additionally to tmpl=component, then please let your template provider know that what they are doing is not the standard behaviour and this should never, EVER, be part of the com_mailto URL.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 16 September 2011 14:57 CDT

cas
Thanks Nicholas,

Sorry for the wild goose chase. I'm not sure I completely understand your reply, so let me explain further. I had already set in the WAF "List of allowed tmpl=" component,system. What does adding "raw" to this list do?

The exceptions as I noted above does have "template=..." in it. Here is the actual exception: www.mysite.com/component/mailto/?tmpl=component&template=mytemplate&link=... with a bunch of numbers & letters here. Of course www.mysite.com and mytemplate are not the actual info.

As far as the template, I modified a Joomla template to fit my needs. I got it from some free download. Since I'm not a Joomla expert yet, where do I look in the template to find what is wrong with the template? Is there something specific I can search for?

Thanks for all your help. You're a real life saver!

Regards,
Chuck

Saturday, 17 September 2011 02:18 CDT

nicholas
Most likely your template has a template override in templates/mytemplate/html/com_content or templates/mytemplate/html/com_mailto which is causing this extra template= in the URL.

Regarding your tmpl=raw question, this is required by some extensions which are poorly coded. If your site works without the raw in that list, you can safely remove it. The other two, however, you should leave them in the list.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 September 2011 02:05 CDT

cas
Hi Nicholas,

I finally had some time to research this problem. What I found when I did a search is that there doesn't seem to be anything in the template html overrides that would cause this problem. It just includes the 2 standard html overrides found in the Beez5 template for com_contact & com_content, so hopefully the Beez5 overrides are okay. My template has 2 other overrides, one dealing with lengthening the search characters from 20 to 50, and the other override makes an enhancement to the module menu to make it more graphical, but I don't see anything in there that deals with the template=.

What I did find was 3 items that had: "com_mailto&tmpl=component&template="
1) ../components/com_content/helpers/icon.php
2) ../components/com_jetestimonial/helpers/icon.php
3) ../components/com_moofaq/helpers/icon.php

The first item is from the Joomla core. Here is the line of code:
$url = 'index.php?option=com_mailto&tmpl=component&template='.$template.'&link='.MailToHelper::addLink($link);

The second item is from the JE Testimonials extension. Here is the line of code:
$url ='index.php?option=com_mailto&tmpl=component&template='.$template.'&link='.base64_encode($link);

The third item is from the MooFoo FAQ extension. The line of code is the same as JE Testimonials above.

Do you see anything in this code that would cause the WAF to flag this as a security problem?

Thanks,
Chuck

Monday, 26 September 2011 02:31 CDT

nicholas
Hi Chuck,

I observed that when Joomla! has multiple template assignments, it appends the current template to com_mailto's URL. I will be releasing Admin Tools 2.1.7 today which addresses this issue by allowing the use of any installed template in the URL using something like template=nameOfAnInstalledTemplate.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 September 2011 03:46 CDT

cas
Great! Thanks Nicholas. I give it a try and see if it works.

Cheers,
Chuck

Monday, 26 September 2011 16:10 CDT

cas
Hi Nicholas,

I installed 2.1.7. I see there is a new selection for the template security "Allow site templates". Do I say YES to both "Block template=foo site template switch" and "Allow site templates"?

Thanks,
Chuck

Monday, 26 September 2011 16:12 CDT

nicholas
Hello Chuck,

That is correct. You have to set both of these options to Yes.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 26 September 2011 16:15 CDT

cas
Thanks Nicholas. I'll keep you posted if I get anymore template security warnings.

Best regards,
Chuck

Wednesday, 28 September 2011 17:24 CDT

cas
Hi Nicholas,

The template check seems to working properly now. Thanks!

I am still getting an occasional error for something different.

The WAF email notice says:
Reason: Bad Behaviour (Header 'Referer' present but blank)

In WAF the Target URL is:
http://www.mysite.com/index.php?format=feed&type=atom

I did a search for "format=feed&type=atom" and found this in
../libraries/joomla/document/feed/renderer/atom

Do you know what is causing this?

Regards,
Chuck

Wednesday, 28 September 2011 20:15 CDT

cas
Hi Nicholas,

I forgot to ask another question. I noticed I'm getting a few hits on the WAF "template=" check because I renamed the template to a different name a few weeks ago, but the WAF exception still has the old template name in the Target URL. I cleared the Joomla cache and made sure the old template name does not appear anywhere in the source code. Do you know if there is somewhere else I need to change the template name? Is it possible that a Bot has this old URL saved?

Thanks,
Chuck

Thursday, 29 September 2011 00:24 CDT

cas
Hi Nicholas,

I might have figured out the first question about the "Header 'Referer' present but blank". The extension Phoca Gallery has the RSS feed turned 'ON' by default. Since I never setup any feed, that might explain the blank feed problem. I turned off the feed, so let's see if the problem stops.

I'm still open to any suggestions you might have on my second post about the old template name still being in the Target URL.

Thanks,
Chuck

Thursday, 29 September 2011 01:53 CDT

nicholas
Hi Chuck,

In order for feeds to work it's advisable to turn off the Bad Behaviour feature, as it blocks requests with an empty Referer header (which is exactly what RSS clients will do).

Regarding the template= requests, it's probably a stale search engine cache, most likely from the mail to icons' URLs. Give it some time (about a month) until the search engine rebuilds its index for your site and they will be gone.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 September 2011 02:32 CDT

cas
Hi Nicholas,

I now have the RSS feed turned off, but I'm still getting the Referrer is blank message. Like you said, maybe some Bot is using an old cached link. I'll give it some time and see if it stops.

Thanks for the help.

Thanks,
Chuck

Saturday, 26 November 2011 12:54 CST

olaeblue
Hi I'm getting repeated exceptions for
http://www.mysite.org.uk/index.php?tmpl=component&template=beez_20&option=com_search&view=search&ordering=newest

I'm assuming that this is because of the &template=beez_20 part but I don't use any templates (including beez_20) except my own & can find no way of 'turning off' the offending text from search (I use PixSearchNG if it helps).

So any ideas how to either
a: get the offending text out of the search string (I have posted with pixlabs as well asking this)
b: allow this exception without reporting (less good but can't handle number of emails or find real threats in the 'noise')
Thanks

Saturday, 26 November 2011 15:31 CST

nicholas
Hi!

First let me remind you that posting to a completely unrelated thread of somebody else doesn't help us help you, as we're missing a lot of vital information about your site.

First make sure that you have Admin Tools Professional 2.1.13 installed on your site. Then go to Admin Tools, Web Application Firewall, Configure WAF, find the "Block template=foo site template switch" and under it there should be an option titled "Allow site templates". Makes ure both options are set to Yes, then click on the Save button (located at the top of the page, to the right hand). That's it!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 26 November 2011 15:46 CST

olaeblue
1. Thought this thread was related, sorry.
2. Joomla 1.7.3, Admin tools 2.1.13
3. Can allow site templates, but I don't use any standard templates so won't this then 'miss' genuine security exceptions? or am I misunderstanding the purpose. I only use 1 template which is a customised version of a purchased template which has it's own name.

Saturday, 26 November 2011 15:51 CST

nicholas
It looks like you are using a third party search component, most likely an AJAX-ified search module. It adds the (largely unnecessary) template=beez_20 query in the URL, most likely because its author tried to work around restrictions imposed by JoomlArt's templates (long story, don't ask, JoomlArt's T3 does some funky things when people use the tmpl=component option...). The only way to have the search work is to use the "allow site templates".

As far as security is concerned, let me make this abundantly clear: you can not be hacked by enabling this option. The worst case scenario is that people will have one more way to ensure that your site is running on Joomla!. By itself it's not a security issue. All of the "Visual Fingerprinting" section's features are "paranoia protection" settings ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 26 November 2011 15:56 CST

olaeblue
OK thanks for advice and reassurance. Love your work, excellent. :-)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!