After updating to last jcemediabox on monday, admin tools throws lots of csrf errors regarding https://.../plugins/system/jcemediabox/themes/standard/popup.html or tooltip.html
and blocks the visitors.
and blocks the visitors.
#101881 Jcemediabox 2 and admintools: csrf block
Posted in ‘Mediabox’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by Ryan on Saturday, 07 December 2019 12:23 GMT
Wednesday, 27 November 2019 09:50 GMT
Ryan
Those files are used in the older version of JCE MediaBox to create the popup layout. They are not used in JCE MediaBox 2.
Please download and install JCE MediaBox 2.0.13 - https://www.joomlacontenteditor.net/downloads/mediabox
Please download and install JCE MediaBox 2.0.13 - https://www.joomlacontenteditor.net/downloads/mediabox
Ryan Demmer
Lead Developer / CEO / CTO
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Wednesday, 27 November 2019 10:21 GMT
Pklinke
Hi Ryan,
2.0.13 is already installed since Monday. Since Monday this problem occurs.
I checked the folders, but there is no folder /plugins/system/jcemediabox/themes/.
Why are tooltip.html and popup.html still called?
Peter
Attachments
Saturday, 30 November 2019 13:44 GMT
Ryan
Why are tooltip.html and popup.html still called?
They are not used in JCE MediaBox 2.
Please uninstall JCE MediaBox 2, then re-install.
Ryan Demmer
Lead Developer / CEO / CTO
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Sunday, 01 December 2019 13:33 GMT
Pklinke
I did this but no change. Users are still blocked of course call tooltip.html or popup.html.
Peter
Peter
Sunday, 01 December 2019 19:27 GMT
Ryan
Please post a link to an example popup.
Ryan Demmer
Lead Developer / CEO / CTO
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Monday, 02 December 2019 09:54 GMT
Ryan
I'm not seeing an issue when clicking on the popup.
What is displayed when a visitor clicks on the popup?
What is displayed when a visitor clicks on the popup?
Ryan Demmer
Lead Developer / CEO / CTO
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Tuesday, 03 December 2019 18:41 GMT
Pklinke
Visitor will not see any issue, but he is blocked.
I will try to get more information, on which page it happens.
Peter
I will try to get more information, on which page it happens.
Peter
Saturday, 07 December 2019 08:24 GMT
Pklinke
Support from Admin tools has analysed:
---
It seems that all the blocks are from users using their mobile phones; moreover there is nothing in the request, it seems that they are requesting the file directly.
My theory is that in this cache mobile phone browser is pre-fetching the page, even if they are guests, triggering Admin Tools protection.
---
So it seems that both files are called in cache.
Were popup.html and tooltip.html available before 2.0.13?
---
It seems that all the blocks are from users using their mobile phones; moreover there is nothing in the request, it seems that they are requesting the file directly.
My theory is that in this cache mobile phone browser is pre-fetching the page, even if they are guests, triggering Admin Tools protection.
---
So it seems that both files are called in cache.
Were popup.html and tooltip.html available before 2.0.13?
Saturday, 07 December 2019 12:23 GMT
Ryan
---
It seems that all the blocks are from users using their mobile phones; moreover there is nothing in the request, it seems that they are requesting the file directly.
My theory is that in this cache mobile phone browser is pre-fetching the page, even if they are guests, triggering Admin Tools protection.
---
So it seems that both files are called in cache.
That seems a reasonable assessment to me. The user's browser has cached the old MediaBox javascript file, which is attempting to load the popup.html and tooltip.html files when the page loads. This action is then being blocked by Admin Tools.
Were popup.html and tooltip.html available before 2.0.13?
They were included in MediaBox 1.2.x
Ryan Demmer
Lead Developer / CEO / CTO
Just because you're not paranoid doesn't mean everybody isn't out to get you.