• 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

TOPIC: Logs that RSFirewall Checks?

This message has been removed by user's request. 8 years 3 months ago #33834

  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED
  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED's Avatar
This message has been removed by user's request.
The administrator has disabled public write access.

Logs that RSFirewall Checks? 8 years 3 months ago #33836

  • octavian
  • octavian's Avatar
  • OFFLINE
  • RSJoomla! Official Staff
  • Posts: 783
  • Thank you received: 110
This is a bug caused by Admin Tools. Please contact the extension's developers for a fix, it incorrectly replaces the PHP $_SERVER["REMOTE_ADDR"] with that string.
Please note: my help is not official customer support. To receive your support, submit a ticket by clicking here
Regards,
RSJoomla! Development Team
Last Edit: 8 years 3 months ago by octavian.
The administrator has disabled public write access.

This message has been removed by user's request. 8 years 3 months ago #33838

  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED
  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED's Avatar
This message has been removed by user's request.
The administrator has disabled public write access.

Logs that RSFirewall Checks? 8 years 3 months ago #33847

  • alexp
  • alexp's Avatar
  • OFFLINE
  • RSJoomla! Official Staff
  • Posts: 2253
  • Thank you received: 180
Perhaps you haven't checked the support service terms (i know that these are rather strict over there). We can't actually provide a fix for this given that the issue is generated by a different extension. RSFirewall! simply displays server related variables. The fact that a third party extension is altering these variables is beyond RSFirewall!'s control.
Please note: my help is not official customer support. To receive your support, submit a ticket by clicking here
Regards,
RSJoomla! Development Team
The administrator has disabled public write access.

This message has been removed by user's request. 8 years 3 months ago #33856

  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED
  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED's Avatar
This message has been removed by user's request.
The administrator has disabled public write access.

This message has been removed by user's request. 8 years 3 months ago #33897

  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED
  • 7b08672a6c0622577c29ebbbaef64717@RSJOOMLA_DELETED's Avatar
This message has been removed by user's request.
The administrator has disabled public write access.

Logs that RSFirewall Checks? 8 years 3 months ago #33899

  • octavian
  • octavian's Avatar
  • OFFLINE
  • RSJoomla! Official Staff
  • Posts: 783
  • Thank you received: 110
Ok, let's clear up a few things. On top of this forum there's a big banner saying:
We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

If you would have submitted a ticket with your issue, you'd have received guaranteed replies since that's the place where we provide support. These forums are monitored as time allows. If the issue is pressing, please consider submitting a support ticket instead of writing on the forum.

Now, back to the original issue:
I'm not sure what you are asking exactly, but if you are asking where the information from the System Logs is stored, that would be #__rsfirewall_logs table. But it doesn't really matter because the things you are seeing in your email / System Logs area is the information present in the #__rsfirewall_logs table. So, no way to get the real IP as the IP wasn't properly recorded.

Why wasn't the IP properly recorded you ask? Since I've seen this happen way too often, I'm going to explain it here for everyone. All of the instructions below are verified with the latest Admin Tools version as of this date and since we're not subscribers of Admin Tools and not plan on being for quite some time, I'm basing my findings on the free Admin Tools Core 3.6.8 version. The functions are pretty extensive and would make this post unreadable, I'm going to show you just the parts that count.

1) This is the code from /plugins/system/admintools/admintools/main.php:
// Work around IP issues with transparent proxies etc
public function __construct(&$subject, $config = array())
...
$this->workaroundIP();
The above means that it runs a function when the plugin is loaded (constructed).

2) Let's look at what this function, workaroundIP() does:
...
F0FUtilsIp::workaroundIPIssues();
...

3) This is the code from /libraries/f0f/utils/ip/ip.php which contains the workaroundIPIssues() function:
$ip = self::getIp();
...
$_SERVER['REMOTE_ADDR'] = $ip;
Ok, so we now that it requests an IP provided by the getIp() function and overwrites $_SERVER["REMOTE_ADDR"] with that IP.

4) Now let's see what getIp() does:
...
$ip = self::detectAndCleanIP();
...

5) Let's take a look at detectAndCleanIP():
...
$ip = self::detectIP();
...

6) Let's see what that does:
// Do we have an x-forwarded-for HTTP header (e.g. NginX)?
if (self::$allowIpOverrides && array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER))
{
	return $_SERVER['HTTP_X_FORWARDED_FOR'];
}
The code will attempt to grab the IP that's found in a PHP Superglobal. Superglobals are predefined variables that PHP uses to store environment info into, such as the remote address of the visitors.

If you're behind a proxy, because the proxy is the one actually connecting to your web server (client -> proxy -> web server), the $_SERVER["REMOTE_ADDR"] variable that holds the IP will actually hold the IP of the proxy, since the proxy passes the request from the client. That's why there's a good practice for the proxy to return the IP into another variable - usually the $_SERVER["HTTP_X_FORWARDED_FOR"] variable.

Now, the issue is that hackers will inject code into that variable, hoping of exploiting the Joomla! RCE vulnerability found in mid December 2015.

What you end up with is with the $_SERVER["REMOTE_ADDR"] being overridden by $_SERVER["HTTP_X_FORWARDED_FOR"], by the Admin Tools code, without any proper validation. This will affect all PHP scripts running on your website and expecting $_SERVER["REMOTE_ADDR"] to return a correct IP address, not just RSFirewall!.

How to fix this? Since I dug so much through the code, I noticed there's a "$allowIpOverrides" variable which seems to be toggled by the configuration - that configuration item does not exist in the Admin Tools Core edition, it's probably only for paying users. So the only way to turn this off would be to either purchase Admin Tools Professional or go back to /plugins/system/admintools/admintools/main.php and comment the function that causes all this:
//F0FUtilsIp::workaroundIPIssues();
Please note: my help is not official customer support. To receive your support, submit a ticket by clicking here
Regards,
RSJoomla! Development Team
The administrator has disabled public write access.

Logs that RSFirewall Checks? 8 years 3 months ago #33921

Just to clear this up. I do not have admin tools installed and i was/am getting these errors.

I got this response form support which clears things up and points towards a joomla fault.
The Admin Tools owner has actually developed a framework that is included within the standard Joomla! installation. This particular framework generates this behavior. My colleague, Octavian, detailed this in a forum post:
The administrator has disabled public write access.
  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!