#26809 – MUA Shield blocking Simple Pie requests

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 28 December 2016 03:59 CST
 I managed a site which is in a sensitive position and we have strengthed the security these days. Now we are actually checking all security exceptions carefully to be sure we do not block good behaviour and we have noticed the MUA Shield is blocking this APACHE request:

USER IP - - [28/Dec/2016:04:26:57 +0100] “GET /es/?format=feed&type=rss HTTP/1.1” 500 353 “http://www.SITEURL.com/es/?format=feed&type=rss“ “SimplePie/1.4-beta (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20160411220540”

I thin this comes from a non-malicious request from the PHP RSS feed Simple Pie: http://simplepie.org and that the url (or something in the agent string) is making the MUA Shield to think this is a malicious attack.

Can you please check if this is the case?


Custom Fields

Joomla! version (in x.y.z format) 3.6.5
PHP version (in x.y.z format) 5.6.29
Admin Tools version (x.y.z format) 4.0.2
Wednesday, 28 December 2016 07:33 CST

yes, the Malicious User Agent blocks every request that contains SimplePie as User Agent.
This is required since on previous version of Joomla (3.4.4, if I remember correctly), it was used to trigger a vulnerability on affected sites. You can find more info here.
If you are running the latest version of Joomla, you can disable such feature since your site is not vulnerable.

Davide Tampellini

Developer and Support Staff

Italian: native

English: good

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 28 December 2016 10:50 CST
Hi Davide,
thank you very much for your reply!

I use the latest release of Joomla! on that site and I'm not a security guru, but according to the description provided in the docs I do want to have MUAShield enabled:

Malicious User Agent block (MUAShield)

Many hackers will try to access your site using a browser configured to send malicious PHP code in its user agent string (a small piece of text used to describe the browser to your server). The idea is that buggy log processing software will parse it and allow the hacker to gain control of your website. When enabled, this feature allows Admin Tools to detect such attacks and block the request.

I just want it to not block Simple Pie agent if no sign of PHP is in the User Agent, is that possible?
Thursday, 29 December 2016 01:16 CST
You can safely disable the entire feature. The attack target of malicious user agents containing a PHP tag is not Joomla itself, it's very old versions of web statistics parsers like Awstats. More than half a decade ago they had some issues with parsing user agents which could allow code execution when you viewed the compiled statistics page. These issues have long been fixed.

The other issue the MUAShield is protecting you is what Davide explained. Unfortunately due to the way this attack works the only reliable bit of information in one of the two attack patterns is the SimplePie signature. If you want your site to be accessible by SimplePie you will have to disable the MUAShield protection altogether. As long as you have a server with stats software updated any time after 2013 (if not, change hosts!) and Joomla! 3.5 or later (if not, upgrade the site!) you're fine without it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 December 2016 04:56 CST
Hi Nicholas,
thank you very much for your great explanation!!. That makes it perfectly clear. I will disable it then.

Thursday, 29 December 2016 04:59 CST
You're welcome!

Davide Tampellini

Developer and Support Staff

Italian: native

English: good

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 28 January 2017 17:17 CST
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!