Last post 1 min ago

Posts last week 141

Average response time last week 4 hours 42 min

All time posts 67811

All time tickets 10479

All time avg. posts per day 21

Helpdesk is open from Monday through Friday CET

Please create an (free) account to post any question in the support area.

Please check the development versions area. Look at the changelog, maybe your specific problem has been resolved already!

All tickets are private and they cannot be viewed by anyone. We have made public only a few tickets that we found helpful, after removing private information from them.

#6987 – Scripts by frontend editors result into Forbidden Access

Posted in ‘sh404SEF’

This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Friday, 06 March 2020 19:32 UTC

TheSDHotel

Hey there,

Frontend editor trying to embed a javscript file with script tags result into a Forbidden Access error for them.

Turns out this is due to sh404sef security features being enabled.

This only happens for lower-ACL users. Me as an administrator can add scripts from the frontend just fine, but authors or editors can't.

Is there any way around this?

Thanks!

Friday, 06 March 2020 19:40 UTC

wb_weeblr

Turns out this is due to sh404sef security features being enabled.

That seems a bit odd, sh404SEF security feature don't check on the page content.

This only happens for lower-ACL users. Me as an administrator can add scripts from the frontend just fine, but authors or editors can't.

This makes it even weirder, we absolute do not take ACL into account.

What are your settings here?

Best regards

Yannick Gaultier
weeblr.com
@weeblr

Friday, 06 March 2020 19:45 UTC

TheSDHotel

Thanks for the speedy reply!

Weird. Turning off "Activate security functions" in sh404sef Security makes the problem go away. Re-activating that option make that problem return.

Also, when this "Forbidden Access" is triggered, this is logged in the sh404sef security logs:

2020-03-06 19:28:43 <script> tag in POST 2.35.148.121 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 POST /index.php?option=com_content&Itemid=171&a_id=2660&lang=en

These are my settings:

Friday, 06 March 2020 19:59 UTC

wb_weeblr

Hi

Please try emptying the field "Check Hyperlinks in parameters". I think those security checks are not done when user is superadmin, which would explain the ACL thing.

Best regards

Yannick Gaultier
weeblr.com
@weeblr

Friday, 06 March 2020 20:04 UTC

TheSDHotel

Nope, that doesn't fix it.

However, if I turn off the setting "Check also forms data (POST)", the issue goes away. So setting that to "No" addresses the issue.

However, I don't know if disabling that exposes the site to some other possible attack. ?

Monday, 09 March 2020 11:58 UTC

wb_weeblr

Hi

OK, so there's something in your data that triggers the security. Can you open the sh404SEF security log files or search for something related to this? (in /administrator/logs/sh404sef/sec)

Best regards

Yannick Gaultier
weeblr.com
@weeblr

Monday, 09 March 2020 12:23 UTC

TheSDHotel

I already pasted that line above, maybe you missed it:

Tthis is what's logged in the sh404sef security logs when that happens:

2020-03-06 19:28:43 <script> tag in POST 2.35.148.121 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 POST /index.php?option=com_content&Itemid=171&a_id=2660&lang=en

Monday, 09 March 2020 12:49 UTC

wb_weeblr

Hi

Crap, I overlooked it, I thought it was just Apache log. Ok, so indeed, it's doing exactly what's supposed to do. There's no white list for this so you best best is to disable checking POST data I think.

Best regards

Yannick Gaultier
weeblr.com
@weeblr

Monday, 09 March 2020 12:50 UTC

TheSDHotel

Alright cool, thanks :)

Does disabling that pose any other possible security risk?

Wednesday, 11 March 2020 16:11 UTC

wb_weeblr

Hi

Sorry, did not see that reply notified.

That's one layer less of protection. In itself, you should not need any security system on top of Joomla. That's if all extensions were secure at any point in time. sh404SEF just adds one more layer of protection.

It's a choice you make, based on how convenient this workflow is to you. I don't think it's big risk.

Best regards

Yannick Gaultier
weeblr.com
@weeblr

Wednesday, 11 March 2020 16:19 UTC

TheSDHotel

Ok, thanks :)

Maybe good to add in the documentation that if this option is enabled, it won't be possible to submit javascript tags in the article.

Thursday, 12 March 2020 09:00 UTC

wb_weeblr

Hi

I doubt any one will ever read anything like that besides you but I will!

Closing this ticket now, feel free to open a new one as needed. If you do so, please mention this ticket number in the new one.

If you created any superadmin account for us, be sure to delete or block it now to avoid unnecessary risk in the future.

Best regards

Yannick Gaultier
weeblr.com
@weeblr

This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.