Components not working with Register Globals Emulation off

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22520
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by pe7er » Mon Aug 21, 2006 6:07 pm

arnold wrote:[..] my com_puarcade (flash games component) doesn't work anymore.
In the past I tested com_puarcade on a server with Register Globals = OFF, and got a lot of errors.
This component needs Register Globals = On, or maybe you can hack the code. (Or inform the author, maybe he/she will improve the code).
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

 
sanni
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Fri Aug 26, 2005 9:56 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by sanni » Mon Aug 21, 2006 7:07 pm

I am having the same problem with akoform and akocomment. 

I am also having a problem with joomlaboard even with this fix.  I can't go past the first page. 

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Mon Aug 21, 2006 7:27 pm

sanni wrote: I am having the same problem with akoform and akocomment. 

I am also having a problem with joomlaboard even with this fix.  I can't go past the first page. 
- Confirming akocomment problem. Might take a look in a few...

- Joomlaboard: past which first page of what ? pages of a thread works fine.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Tonie » Mon Aug 21, 2006 7:29 pm

Might be handy to have a list of components that work/doesn't work with this setting.

sanni
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Fri Aug 26, 2005 9:56 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by sanni » Mon Aug 21, 2006 7:35 pm

Beat wrote:
- Joomlaboard: past which first page of what ? pages of a thread works fine.
I can't get past the first page of the forum.  At the top where it says 1 2 3 4 5 .  It simply stays on 1.  Everything else works fine though that i've checked. 

This was also a problem without the fix with register global off. 

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tyler » Mon Aug 21, 2006 8:43 pm

Tonie wrote: Might be handy to have a list of components that work/doesn't work with this setting.
And we'll just have Beat be the "go to" fixer upper guy, LOL

Seriously though, we love your work Beat :)

You're the best man, and one of the very few knowledgable enough crank out these great hot fixes so quickly!
Last edited by tyler on Mon Aug 21, 2006 8:51 pm, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

arnold
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Aug 21, 2006 4:56 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by arnold » Mon Aug 21, 2006 9:56 pm

pe7er wrote:
arnold wrote:[..] my com_puarcade (flash games component) doesn't work anymore.
In the past I tested com_puarcade on a server with Register Globals = OFF, and got a lot of errors.
This component needs Register Globals = On, or maybe you can hack the code. (Or inform the author, maybe he/she will improve the code).
i can't hack the code :(  my php is not that good .... i have mailed the author and i hope he contacts me.

Regards Arnold

User avatar
howdwegethere
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Tue Aug 23, 2005 7:34 am
Location: Brisbane, Australia
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by howdwegethere » Tue Aug 22, 2006 7:37 am

Beats fix worked for my Joomlaboard but the discussbot is dead. It doesn't pick up the subject field and doesn't present an input field either. No subject = no post.

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by tyler » Tue Aug 22, 2006 7:58 am

discussbot works fine for me w/RG emulation off (using Beat's fix).
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
MarHaj
Joomla! Ace
Joomla! Ace
Posts: 1168
Joined: Fri Jun 30, 2006 5:24 pm
Location: CZ
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by MarHaj » Tue Aug 22, 2006 3:16 pm

Component MyLinks http://extensions.joomla.org/component/ ... Itemid,35/ works with register globals off and doesn't work with RG_Emulation set to 0.

I'm posting a message to the developer too.
MarHaj

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18969
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by infograf768 » Tue Aug 22, 2006 3:58 pm

MarHaj wrote: Component MyLinks http://extensions.joomla.org/component/ ... Itemid,35/ works with register globals off and doesn't work with RG_Emulation set to 0.

I'm posting a message to the developer too.
That means it needs globals ON, right?
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
MarHaj
Joomla! Ace
Joomla! Ace
Posts: 1168
Joined: Fri Jun 30, 2006 5:24 pm
Location: CZ
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by MarHaj » Tue Aug 22, 2006 6:13 pm

Not exaclly.
MyLinks component:
register globals off AND RG_Emulation 1 = O.K.
register globals off AND RG_Emulation 0 = Not O.K.
MarHaj

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Hackwar » Tue Aug 22, 2006 11:24 pm

that exactly means, that it needs globals = on to work. RG_Emulation = 1 is more or less equal to register_globals = On
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Beat » Wed Aug 23, 2006 1:42 am

sanni wrote:
Beat wrote:
- Joomlaboard: past which first page of what ? pages of a thread works fine.
I can't get past the first page of the forum.  At the top where it says 1 2 3 4 5 .  It simply stays on 1.  Everything else works fine though that i've checked.   

This was also a problem without the fix with register global off. 
Ok thanks, fixed in my post above and on http://www.joomlapolis.com/ :
http://forum.joomla.org/index.php/topic ... #msg441456

as follows:
EDIT: added above for threads page browsing and correct latest posts timeframe selection:

Code: Select all

if (isset($_GET["page"])) $page  = mosGetParam ( $_GET, 'page' , '' );	//BBTEMPFIX
if (isset($_GET["sel"])) $sel  = mosGetParam ( $_GET, 'sel' , '' );	//BBTEMPFIX
Hope will get to the other stuff soon.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

sanni
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Fri Aug 26, 2005 9:56 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by sanni » Wed Aug 23, 2006 2:21 am

EDIT: added above for threads page browsing and correct latest posts timeframe selection:

Code: Select all

if (isset($_GET["page"])) $page  = mosGetParam ( $_GET, 'page' , '' );	//BBTEMPFIX
if (isset($_GET["sel"])) $sel  = mosGetParam ( $_GET, 'sel' , '' );	//BBTEMPFIX
Thanks Beat it works beautifully

RasCas
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Fri Jun 02, 2006 9:59 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by RasCas » Wed Aug 23, 2006 8:32 am

One wish it would be very helpfull, if there would be a list in first post.
listing Components which need global emulation on and link to fix, like the 3rd party list.

Would do it myself, but i am not the thread starter, so please...  :-*

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18969
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by infograf768 » Wed Aug 23, 2006 8:37 am

:) I guess you are welcome to start a new thread with that list.  ;)
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Hackwar » Wed Aug 23, 2006 10:07 am

BTW: In the backend, the switching with users does not work correctly. if you look in the admin.joomlaboard.php, you see an area, where the variable cid is retrieved with mosgetparam. this has to be repeated for the variable uid to work.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by Websmurf » Wed Aug 23, 2006 12:05 pm

I started a list in the first post. Please let me know if there are any additions.
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3788
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Hackwar » Wed Aug 23, 2006 1:17 pm

Ok, to elaborate on my previous post:
Replace this in /administrator/components/com_joomlaboard/admin.joomlaboard.php from line 166:

Code: Select all

$cid = mosGetParam( $_POST, 'cid', array(0) );
if (!is_array( $cid )) {
   $cid = array(0);
}
with this:

Code: Select all

$cid = mosGetParam( $_POST, 'cid', array(0) );
if (!is_array( $cid )) {
   $cid = array(0);
}
$uid = mosGetParam( $_REQUEST, 'uid', array(0) );
if (!is_array( $uid )) {
   $uid = array(0);
I have to admit, that I'm not 100% sure, if uid is supposed to be an array, but after changing this, the view of the user details in the backend worked again.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

althoffm
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Thu Mar 30, 2006 10:55 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by althoffm » Thu Aug 24, 2006 10:57 am

Websmurf wrote: I started a list in the first post. Please let me know if there are any additions.
Ako Forms is missing from the list

tomww
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Tue Apr 04, 2006 8:53 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tomww » Thu Aug 24, 2006 12:49 pm

I think, you mean Artforms. It does not work with global off. :-(

sanni
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Fri Aug 26, 2005 9:56 pm

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by sanni » Thu Aug 24, 2006 12:53 pm

tomww wrote:
I think, you mean Artforms. It does not work with global off. :-(
Neither does akoforms

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Beat » Thu Aug 24, 2006 12:55 pm

tomww wrote:
I think, you mean Artforms. It does not work with global off. :-(
Does ArtForms work or not with RG_EMULATION OFF ?

I will look at ArtForms, as soon as done with Joomla and CB, and will take the project further.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

tomww
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Tue Apr 04, 2006 8:53 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by tomww » Thu Aug 24, 2006 1:05 pm

Beat wrote:
Does ArtForms work or not with RG_EMULATION OFF ?

I will look at ArtForms, as soon as done with Joomla and CB, and will take the project further.
on my testsystem with reg_emulation off, it does not work. no forms are displayed.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Tonie » Thu Aug 24, 2006 1:07 pm

Is Artforms still being developed, thought I heard/read somewhere that development has stopped.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Beat » Thu Aug 24, 2006 1:23 pm

Tonie wrote: Is Artforms still being developed, thought I heard/read somewhere that development has stopped.

Development was stopped by his author. But in agreement with auther, we decided that I will take devlopment further of this nice simple component and of a few others. I already created project on forge. Just need the time to get to it. Right now Joomla and CB manage to eat my free time. But the RG_EMULATION OFF compatibility fix will trigger a first new release on forge ;)
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

althoffm
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Thu Mar 30, 2006 10:55 am

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by althoffm » Thu Aug 24, 2006 1:59 pm

tomww wrote: I think, you mean Artforms. It does not work with global off. :-(
No, I mean AkoForms http://www.konze.de/products/akoforms.html
I have send Arthur a note last week but there is no reply back yet.

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Post by dhuelsmann » Thu Aug 24, 2006 2:37 pm

Looks like the chron capability of feedgator quits working with register global emulation off.

Dave
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Post by Beat » Thu Aug 24, 2006 6:46 pm

MarHaj wrote: I do confirm there is problem with AkoComent. :'(
I am running the tweaked version of it and cannot post comments with RG emulation on. Tested several times.
Ok. Here akoComment version "(2.0) 1.1.3" temporary fix, as just working now with postings fine on http://www.joomlapolis.com/ :

Edit components/com_akocomment.php and replace:

Code: Select all

# Don't allow direct linking
  defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
by:

Code: Select all

# Don't allow direct linking
  defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

  //BBTEMPFIX:
  $acitemid = (int) mosGetParam( $_POST, "acitemid" );
  $contentid = (int) mosGetParam( $_POST, "contentid" );
  $title = mosGetParam( $_POST, "title" );
  $comment = mosGetParam( $_POST, "comment" );
  $acname = mosGetParam( $_POST, "acname" );
  # Added following one extra line to make the security images solution by DPaulus to work - Reind Dooyeweerd  
  $akocode = mosGetParam( $_POST, "akocode" );
  //end of BBTEMPFIX
UPDATE: added security images in fix above as confirmed to work ok.

For Backend lists to work:

Edit file administrator/components/admin.akocomment.php as follows:

Add just BEFORE the line 14 starting with "switch..." :

Code: Select all

//BBTEMPFIX
$task = mosGetParam( $_REQUEST, 'task', null );
$cid = mosGetParam( $_REQUEST, 'cid', array( 0 ) );
$uid = mosGetParam( $_REQUEST, 'uid', array( 0 ) );
if (!is_array( $cid )) {
	$ocid=$cid;
	$cid = array ();
	$cid[]=$ocid;
	mosArrayToInts($cid);
}
//END OF BBTEMPFIX
EDIT: Added backend fix.
EDIT: Added filenames to edit and clarified instructions.
EDIT: Added  $akocode = mosGetParam( $_POST, "akocode" ); to make Security Images work, as suggested and confirmed here: http://forum.joomla.org/index.php/topic ... #msg461862
Last edited by Beat on Fri Sep 01, 2006 10:38 pm, edited 1 time in total.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

 

Locked

Return to “Security - 1.0.x”