The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 29 posts ] 
  Print view Previous topic | Next topic 
Author Message
ausnets
PostPosted: Fri Nov 30, 2007 11:06 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jun 29, 2007 12:28 am
Posts: 46
Location: Queensland, Australia
Have added an SSL cert. to a client's site: Joomla 1.1.13, and virtuemart.

Have fixed most issues thanks to the forum, I've secured the whole site under the SSL by using a redirect in the .htaccess file.

But now this issue remains:

In Firefox, no problems, but in IE, still getting the 'This page contains both secure and nonsecure items' warning pop-up.

My question is how can I tell which items are nonsecure ? Even if I say 'no' to displaying nonsecure items, all the images appear ok, in fact I can't see anything missing, no 'red cross' image holders etc.

www.nmbs.com.au

Thanks so much.
Top
 Profile  
 
musiczineguy
PostPosted: Fri Nov 30, 2007 11:39 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
Your SSL cert is protecting anything in your domain, nmbs.com.au and its subdirectories.

The four links at the bottom of the page are causing the message.  All four are pointing to non-ssl http pages, not in the domain protected by your SSL cert, thus the warning.

A quick google of the problem comes up with a lot of suggestions.. the most common one being to point your links to secure pages, but you can't necessarily pick and choose the type of pages you're linking to, so that might not help you.

The other thing, for images, was to just use a virtual link  like /images/image.gif  instead of http://www.mysite.com/images/image.gif

You might try stripping the http:// from the link and just trying it with the URI...
Top
 Profile  
 
ausnets
PostPosted: Sat Dec 01, 2007 12:04 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jun 29, 2007 12:28 am
Posts: 46
Location: Queensland, Australia
Thanks for the reply, I really appreciate it.

I just removed those 4 links from the front page and the same problem exists.

Is it just a question of going through page by page until I find an explicit link to http://something  ?

Thanks !
Top
 Profile  
 
musiczineguy
PostPosted: Sat Dec 01, 2007 3:10 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
ausnets wrote:
Is it just a question of going through page by page until I find an explicit link to http://something  ?



That was actually a recommendation I saw on one of the pages I looked at.  Based on the information I read, your problem lies in the page trying to access something or link to something that is http:// rather than https://

I wish I could be of more assistance to you, unfortunately SSL is not my strong suit.
Top
 Profile  
 
dianascherff
PostPosted: Fri Dec 07, 2007 1:00 am 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Nov 07, 2006 9:27 am
Posts: 3
Location: Los Angeles, CA, USA
I'm having the same problem.  I switched over to SSL last night and after tons of work I'm still having problems.  I started by using relative links and "image.gif", I even removed 3rd party scripts from my site and I still got the mixed content error.  I then changed all links to https://... and the same with images, but still nothing.  It's best for me to use the full URL because parts of my site need to be secure and other parts don't, so when someone clicks on a specific link, I need it to send them to the secure site.  I may end up just putting a small note on the site telling users how to turn off that error.  I can stand it but I'm sure users will run screaming  :'(

_________________
***** Manual signatures are NOT allowed *****
dianascherff.com
sutherland-scherff.net
Top
 Profile  
 
Lain14
PostPosted: Fri Dec 14, 2007 1:30 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Sep 22, 2006 3:13 am
Posts: 15
If you use Google analytics code on your index.php of your template file this is the problem. I had the same problem, spent days looking for the issue only to remove the Google script and the problem when away. There is a new mambot that allows you to add the Google code so that it switches to secure when needed.
Top
 Profile  
 
whiteboxlabs
PostPosted: Tue Dec 18, 2007 7:57 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Wed Aug 24, 2005 7:31 pm
Posts: 63
having same issue.  Not using Google Analytics at all.
Top
 Profile  
 
hobartimus
PostPosted: Thu Dec 20, 2007 3:52 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jul 20, 2006 1:58 pm
Posts: 49
Location: Texas
Interesting. I have built more than a dozen Joomla/VirtueMart sites and not had any serious problem with the secure/nonsecure warning.

However, I just launched my first site using 1.0.13 and I get the warning on every secure page. I have checked all the regular culprits and cannot find a problem. Also, on secure page I get a syntax error on line 2.

All of this happens only in IE, of course.

_________________
Best Regards,
Howard Theriot
http://www.catchlight.com
Top
 Profile  
 
greenkoi
PostPosted: Wed Mar 19, 2008 6:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jun 17, 2007 4:28 am
Posts: 19
Have you found any resolution to this ?

IE7 is saying page not found when clicking on the OK to display secure and nonsecure items. IE6 throws the warning as well, but

FF and Safari work fine. . . .

http://www.fairtradeteas.com
Top
 Profile  
 
ausnets
PostPosted: Wed Mar 19, 2008 10:09 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jun 29, 2007 12:28 am
Posts: 46
Location: Queensland, Australia
I wish there was a resolution to this.

We have simply started to tell all potential customers we will not build Secure Joomla/Virtuemart sites.
They have to accept PayPal.

Not ideal, but what can we do ?
Top
 Profile  
 
greenkoi
PostPosted: Thu Mar 20, 2008 3:08 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jun 17, 2007 4:28 am
Posts: 19
On the site, we only use PayPal and Google Checkout . . .

So I'm already half way there.

I've turned off every module and have stripped the site down in testing to see if there was something third-party, in terms of CSS or JS that might have been causing it, but still no luck.

I ran through the order process and I do see some VM code where there are HTTP vs HTTPS links on this page:

https://www.fairtradeteas.com/index.php ... &Itemid=29

A section of code that looks like it'd be updating the quantity / remove items from cart has what I think may be the offending code:

Code:
    <td>
      <form action="https://www.fairtradeteas.com/index.php" method="post">
      <input type="hidden" name="option" value="com_virtuemart" />
      <input type="text" title="Update Quantity In Cart" class="inputbox" size="4" maxlength="4" name="quantity" value="1" />   </td>
    <td>$27.82</td>
    <td><input type="hidden" name="page" value="checkout.index" />
        <input type="hidden" name="func" value="cartUpdate" />
        <input type="hidden" name="product_id" value="21" />
        <input type="hidden" name="Itemid" value="29" />
        <input type="hidden" name="description" value="" />
        <input type="image" name="update" title="Update Quantity In Cart" src="http://www.fairtradeteas.com/components/com_virtuemart/shop_image/ps_image/edit_f2.gif" border="0"  alt="Update" />
      </form></td>
    <td><form action="https://www.fairtradeteas.com/index.php" method="post" name="delete" >
        <input type="hidden" name="option" value="com_virtuemart" />
        <input type="hidden" name="page" value="checkout.index" />
        <input type="hidden" name="Itemid" value="29" />
        <input type="hidden" name="func" value="cartDelete" />
        <input type="hidden" name="product_id" value="21" />
        <input type="hidden" name="description" value="" />
      <input type="image" name="delete" title="Delete Product From Cart" src="http://www.fairtradeteas.com/components/com_virtuemart/shop_image/ps_image/delete_f2.gif" border="0" alt="Delete Product From Cart" />
      </form></td>


Could this be the code causing it do throw warnings in IE ?
Top
 Profile  
 
keliix06
PostPosted: Thu Mar 20, 2008 6:46 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:46 pm
Posts: 968
Links have nothing to do with giving this error. It's only things that try to load on the page itself, i.e. when you see src="...

On https://www.fairtradeteas.com/index.php ... &Itemid=29 ALL of the Virtuemart images load as non-secure.

From the code you posted

Quote:
src="http://


is exactly what will give this error. I haven't tested the newest VM versions, and you may want to check at their forums, but it only used to load images as secure through the checkout process, and only if the ssl redirect was enabled in the VM config.

_________________
Doyle Lewis
BuyHTTP Internet Services
http://www.buyhttp.com/joomla_hosting.html - No Overselling Guarantee. Your Joomla site, faster.
http://www.joomlademo.com - Joomla flash tutorials.
Top
 Profile  
 
greenkoi
PostPosted: Fri Mar 21, 2008 7:37 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jun 17, 2007 4:28 am
Posts: 19
This may not be the most elegant solution in getting VM to play nice with IE, but it got me over the hump.

The Update Cart / Empty Cart images which were being called over HTTP vs. HTTPS, but I was having trouble figuring out how to best remedy it. So I searched the VM files to see where those images were being called and I found:

html/basket.php
html/ro_basket.php

Which I found by doing a search for the image names: edit_f2.gif and delete_f2.gif

Around line 138 in basket.php replace IMAGEURL
Code:
        <input type=\"image\" name=\"update\" title=\"". $VM_LANG->_PHPSHOP_CART_UPDATE ."\" src=\"". IMAGEURL ."ps_image/edit_f2.gif\" border=\"0\"  alt=\"". $VM_LANG->_PHPSHOP_UPDATE ."\" />


with the full path to the files:

Code:
 <input type=\"image\" name=\"update\" title=\"". $VM_LANG->_PHPSHOP_CART_UPDATE ."\" src=\"". "https://www.fairtradeteas.com/components/com_virtuemart/shop_image/ps_image/edit_f2.gif\" border=\"0\"  alt=\"". $VM_LANG->_PHPSHOP_UPDATE ."\" />


And again at line 147:

Code:
  <input type=\"image\" name=\"delete\" title=\"". $VM_LANG->_PHPSHOP_CART_DELETE ."\" src=\"". IMAGEURL ."ps_image/delete_f2.gif\" border=\"0\" alt=\"". $VM_LANG->_PHPSHOP_CART_DELETE ."\" />


with the full path:

Code:
<input type=\"image\" name=\"delete\" title=\"". $VM_LANG->_PHPSHOP_CART_DELETE ."\" src=\""."https://www.fairtradeteas.com/components/com_virtuemart/shop_image/ps_image/delete_f2.gif\" border=\"0\" alt=\"". $VM_LANG->_PHPSHOP_CART_DELETE ."\" />


It may not be the most elegant solution, but it got me over the IE unsecured items issue.

I realize I may be posting this in the incorrect area, but wanted to get my solution out there as I know from reading other posts it was giving folks a real hard time.
Top
 Profile  
 
deafbiz
PostPosted: Wed May 21, 2008 5:29 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Aug 28, 2005 3:09 am
Posts: 115
Not to derail the thread, but my situation is similar to yours. The current installation of J 1.0.15 and VM 1.10 created a new set of non-secure ie6/ie7 items.

Here's the post:
http://forum.virtuemart.net/index.php?topic=40552.0

I identify the culprit is this part in virtuemart.cfg.php:
Quote
<div class="quote">define( 'URL', $mosConfig_live_site.$app );
define( 'SECUREURL', 'https://www.domain.com/' );

if ( @$_SERVER'HTTPS' == 'on' ) {
define( 'IMAGEURL', SECUREURL .'components/com_virtuemart/shop_image/' );
} else {
define( 'IMAGEURL', URL .'components/com_virtuemart/shop_image/' );
}
define( 'VM_THEMEPATH', $mosConfig_absolute_path.'/components/com_virtuemart/themes/default/' );
define( 'VM_THEMEURL', $mosConfig_live_site.'/components/com_virtuemart/themes/default/' );
</div>/QUOTE

/components/com_virtuemart/themes/default/ DOES NOT turn to HTTPS !!!

/components/com_virtuemart/themes/default/ was NOT in VM 1.0.5 so that's why I didn't have the problem as I do now.

How can I make this folder https or make the unsecure warning go away?

Thank you.
Top
 Profile  
 
subrat
PostPosted: Sat May 31, 2008 5:26 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Sat Jul 08, 2006 7:36 am
Posts: 929
Location: India
Had a similar issue, dont know whether its the same but you could check out this thread..

http://forum.virtuemart.net/index.php?topic=36696.15

regards

_________________
Quality WebDevelopment at http://www.webworkwiz.com
Affordable hosting http://www.vsmhosting.com
Top
 Profile  
 
deafbiz
PostPosted: Sat May 31, 2008 5:06 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Aug 28, 2005 3:09 am
Posts: 115
Yeah, I completely forgot to update this thread.

Thank for pointing this out.
Top
 Profile  
 
jennix
PostPosted: Sun Dec 28, 2008 11:31 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jul 24, 2008 3:21 am
Posts: 32
http links in java scripts will do this too.


microsoft sucks
Top
 Profile  
 
johnwasneverhere
PostPosted: Sat Mar 21, 2009 6:46 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Jan 08, 2006 12:18 am
Posts: 51
ok.. What i've done after DAYS of work.. and what worked for me was to
1. make all my images in the css absolute paths...
2. fix any src=' as mentioned above in the source and the biggie...
3. in the joomla config file don't use anything for live site... so it would be livesite=''

i'm not sure if 1 and 2 above really did anything.. but i know that 3 did

hope this helps

_________________
"How can you find joy in a joyless place except by realizing you are not there?"

http://www.thecourseinmiracles.com
http://www.uncursodemilagros.com
Top
 Profile  
 
sitewonders
PostPosted: Thu Feb 18, 2010 5:41 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Mar 19, 2007 8:29 am
Posts: 171
3. in the joomla config file don't use anything for live site... so it would be livesite=''

That fixed it for me!!!!!

G
Top
 Profile  
 
Lorrein
PostPosted: Sat Sep 18, 2010 7:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 06, 2009 7:48 am
Posts: 9
This might help.
In module manager go to main module
under advanced select "No caching"
Top
 Profile  
 
myopicseer
PostPosted: Tue Dec 07, 2010 3:58 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Oct 31, 2009 9:51 pm
Posts: 14
For me the issue appears to be the FLASH "codebase" parameter, which links to http://download.macromedia.com/pub/shoc ... wflash.cab. I am using the Flash Joomla module flash_mod. I am going to try to edit the module file to make the connection a secure connection. I confirmed this as the issue after having looked at the "Page Source" in IE, and doing an F+ctrl to do a search for the term "http". I made all paths relative, or https. When still having the IE popup issue, I temporarily disabled the Flash module in the admin backend, and viola, the warning went away on the checkout (https connection) pages.
Top
 Profile  
 
cmarotta
PostPosted: Tue Dec 07, 2010 5:26 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Oct 21, 2010 2:49 pm
Posts: 4
johnwasneverhere wrote:
ok.. What i've done after DAYS of work.. and what worked for me was to
1. make all my images in the css absolute paths...
2. fix any src=' as mentioned above in the source and the biggie...
3. in the joomla config file don't use anything for live site... so it would be livesite=''

i'm not sure if 1 and 2 above really did anything.. but i know that 3 did

hope this helps


i migrated to a new server... #3 fixed ALLLLL of my problems.
Thankx!!
Top
 Profile  
 
netfuel
PostPosted: Thu Sep 08, 2011 12:59 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Sep 08, 2011 12:52 pm
Posts: 1
I had the same issue in IE I was getting warning messages saying "Only secure content is displayed"

I tried everything. I edited var $live_site = ''; in configuration to var $live_site = 'https://www.domain.com';

I made sure all pages were set to SSL enabled using the parameters for each article in the back-end. I also set the Force SSL to the entire site in the globals, Nothing worked.

The fix for me was, I viewed source, copied the entire code into a html file, uploaded the file, problem still there. I gradually took peice by piece out until I found where the problem was. The problem was inside a css file that was loading fonts from http instead of https. Once I removed that code, my site was secure.
Top
 Profile  
 
baldnut
PostPosted: Sat Sep 17, 2011 5:31 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 17, 2006 11:43 am
Posts: 18
You can have as many links as you want pointing to none secure pages they will never effect your ssl certificate the only time you will have a problem if you are linking with absolute path to an image using http:

So look for any references to <img src="http://domain.com/images/image.jpg" /> this would be far better change to <img src="images/image.jpg" />

Or any references in your css files which call in an image using absolute path, again change like above (updating with the correct paths obvisouly)

Any files you have added in the header such as script tags calling in javascript or jquery files from none https locations.

Google analytics already has code in it to to automatically switch to https if required.

Any links which are <a href="http:// do not need attention as they are not loading the page on your site so do not need to be secure.
Top
 Profile  
 
Markstein
PostPosted: Sat Sep 17, 2011 6:09 pm 
Joomla! Hero
Joomla! Hero

Joined: Sat Feb 09, 2008 8:27 am
Posts: 2152
Location: California, USA
For others that run into this problem there is an awesome addon for IE and Firefox which gives you the ability to see all "http" references on a "https" page. Makes it very easy to track them down.

http://www.httpwatch.com/

Mark
Top
 Profile  
 
alfirus
PostPosted: Wed Sep 21, 2011 1:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 21, 2011 1:07 pm
Posts: 8
i'm also facing same problem. my site is https://ebaseworks.com.

I'm able to troubleshoot by using firefox, in media tab https://picasaweb.google.com/1164965086 ... 7806743906, i delete script which is not providing SSL for my site.

I also checking every images using relative url in my .php files and also in my css.

$live_site already as ''

Almost feedup.
Top
 Profile  
 
alfirus
PostPosted: Wed Sep 21, 2011 2:11 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 21, 2011 1:07 pm
Posts: 8
Wrong info... post deleted
Top
 Profile  
 
sarahania
PostPosted: Wed Aug 01, 2012 10:39 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Jul 23, 2012 2:51 pm
Posts: 4
is that a SSL installation problem or Joomla, I am suffering !, as lot of my site pages down with addition of SSL
Top
 Profile  
 
GVerheij
PostPosted: Wed Nov 07, 2012 9:57 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Feb 16, 2011 3:58 pm
Posts: 6
Hi, try this website: http://www.whynopadlock.com/

I've used it at a few times on SSL-sites, You can fill in the URL of your page and it generates a very usefull overview of alle secure and non-secure links on your page.

Regards, Gerard
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 29 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: No registered users and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group