IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
masterdb
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Sep 12, 2006 9:41 pm

IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by masterdb » Tue Sep 12, 2006 10:05 pm

Hi there,

After the 1.011 Joomla upgrade, the Website of my team started to randomly presenting the following error:

Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script.

In the admin area of Joomla, the information "PHP register_globals setting is `ON` instead of `OFF`" appears, the problem is that we  can't change the php.ini and the .htacess file does not apply to IIS.

Any solutions?

What could be happening to cause the random failures?

Every help would be appreciated.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by RobS » Tue Sep 12, 2006 11:22 pm

Chances are it is being caught in a new check that was implemented for 1.0.11.  It is caused by a numeric variable key (most likely) due to an old session cookie or something of that nature.  What extensions are you using on your site?  Make sure you have all of the latest versions and just tell your team to clear their cookies and things should be okay (assuming the extensions have been fixed to work with the new checks).  For example, a joomla login cookie could contain an all numeric hash but it is unlikely that it is this if you are experiencing for a lot of users.  We made sure to fix the hash creation process to prefix all hashes with a j to make sure they were not purely numeric under any circumstances.  Hopefully that helps.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

masterdb
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Sep 12, 2006 9:41 pm

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by masterdb » Wed Sep 13, 2006 1:41 pm

robs,

Thanks for the support  :)

We already take some actions and the site is np now.

First, we disabled all the recently added extensions.
Second, we are going to sent an e-mail to all users to clean their cookies.

If the situation starts to be stable (after de cookies cleanup) then we will check the extensions version and start by activating one by one.

I will keep giving feedback. Thanks once more.

Migg
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Sep 13, 2006 10:30 am

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by Migg » Thu Sep 14, 2006 2:30 pm

The problem persists.

We use the SMF bridge, we have changed the cookie name but the problem persist.

We have the following extensions in our installation :

AkoBook  -  version 3.42  - Disabled
Events - version 1.2 - Enabled
eWeather - 1.1.0 - Enabled
JCE Admin  -  1.0.4 Enabled
Marketplace - 1.2.1 Enabled
ReMOSitory  - 3.25 Enabled
SMF Bridge - 1.1.6 Enabled
VirtueMart - 1.0.6 Enabled

We have disabled all the extensions (just leave the SMF Bridge).

We are thinking to donwgrade the version to 1.0.8 (the latest version we have installed), what we need to do ? Only copy the files ???

Thenks.

masterdb
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Sep 12, 2006 9:41 pm

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by masterdb » Thu Sep 14, 2006 9:58 pm

We couldn't wait longer...the error was appearing constantly.

We decided to downgrade again to 1.0.8

We copied all the directory content to the joomla root except for the installation dir.

It's seems to be working fine now!

Pascal Louwes
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Apr 28, 2006 9:58 am

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by Pascal Louwes » Mon Sep 18, 2006 7:56 am

check if you have forms somewhere that post fields with numeric names. thats illegal from version .11 and can give you this error.

cheers,
Pascal.

sergiorocha
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Sep 15, 2005 1:44 am

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by sergiorocha » Fri Sep 22, 2006 12:20 am

I found the same problem in my joomla. But because i have two webserver for the same site if i visit the www1.mydomain.com and the www2.mydomain.com and its works.

I only have this problem wih the firefox, i clean up the cookies, and start to work again.

I houpe it was helpfull

Migg
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Sep 13, 2006 10:30 am

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by Migg » Fri Sep 22, 2006 9:53 am

Thanks Sergio,

We have asked all the members to clear their cookies but we have a lot of non members visiting the webpage everyday. We have made the downgrade and everything works fine now.

We will wait for a next release ...

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable _files or _env...

Post by RobS » Fri Sep 22, 2006 11:31 am

This behavior is not a bug but is intended as it prevents the exploitation of a bug in some versions of PHP.  I don't think it will be removed.

If and only if you are running the latest version of PHP (4.4.4 or 5.1.6) you could consider commenting out the line below from globals.php.

line 40 in globals.php:

Code: Select all

$failed |= is_numeric( $key );
change to:

Code: Select all

//$failed |= is_numeric( $key );
That should "fix" the problem by removing the check that is causing the warning and abort to occur.  I repeat, do not remove that line unless you are running the lastest version of PHP as it could open your system up to more serious security threats.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

EveryWish
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue May 03, 2011 9:53 pm

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable

Post by EveryWish » Tue May 03, 2011 10:03 pm

Where do you find globals.php in joomla version 1.5.23.

I'll leave it at that lol
Way to complicated and time consuming to explain... 8 hours invested in this problem :-\ :pop

DrTech76
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Jan 21, 2012 6:57 pm

Re: IIS server+PHP - Joomla 1.011 - Error: Illegal variable

Post by DrTech76 » Sat Jan 21, 2012 7:08 pm

The issue is rooted in the AJAX requests, and specifically in the timestamp appended to the requested url to prevent loading the content from the browser`s cache. And because this is being added not as a key=value pair but just as single value Joomla threats is as url parameter, which indeed is a numeric.

Hacking the Joomla core is not necessary to fix this. The fix is to alter the javascript that does this cache preventing thing by making it to append key=value pair, so the value can still be the timetsmp and the key can be anything you'r mind desire.

I just made it like this *the example is from the com_listbingo "components/com_listbingo/templates/default/js/m11/validation.js" that deals with the add/edit an add form validation which was failing on verifying the captcha because of this issue)

CODE (line ) BEFORE:
var url='index.php?option=com_listbingo&task=addons.captcha.front.verifyCaptcha&cval='+capvalue+'&format=raw&' +new Date();

CODE (line ) AFTER:
var url='index.php?option=com_listbingo&task=addons.captcha.front.verifyCaptcha&cval='+capvalue+'&format=raw&random=' +new Date();


Locked

Return to “Security - 1.0.x”