Page 1 of 14

Components not working with Register Globals Emulation off

Posted: Wed Aug 16, 2006 10:00 pm
by Websmurf
After being hacked through facileforms today, with register globals off, i've done a bit of research.

If you have register globals off, make sure your globals.php file is configured like this:

Code: Select all

define( 'RG_EMULATION', 0 );
in stead of with the default:

Code: Select all

define( 'RG_EMULATION', 1 );
Else, Joomla will emulate register globals on, and the effect of register globals off will be gone..


List of uncompatible components:


Component
Version
Fix



Akobook
<= V3.42
http://forum.joomla.org/index.php/topic ... #msg459463



Akocomment
<= (2.0) 1.1.3
http://forum.joomla.org/index.php/topic ... #msg450093



Ako Forms
<=1.x





AkoLegal
<= 2.0
Download fix: http://der-den.de/im_www/artikel/sport, ... 0_fix.html



Alberghi
<=2.0
Update to 2.1



Artforms





Bibliography
<= 1.3




com_puarcade





Community Builder
<= 1.0.1
Update to 1.0.2, this is compatible with registers global emulation off



Contacts XTD






DatsoGallery
<= 1.3.6.




Doclink mambot





Events component (frontend editing)
<= 1.2




eWeather
<=




eWriting
<= 1.2.1




Feedgator (cron script)
<=0.x
Update downloadable from: http://www.churchministriesonline.com/D ... w/gid,428/



Gary's Cookbook
<= 1.1




Guestbook with Bayes Filter
<= 01.x
Update to version 02.050906



HexIp
<=2.0.a




Joomlaboard
<= 1.1.2
Update to 1.1.3



joscomment
<= 2.34 final




JUICE
<= 1.0




LinX
<= 0.1
http://www.costatropicalinternet.com/li ... c.php?t=53



Mambatstaff
<= 3.1b




Marketplace
<= 1.2
Update to 1.3




MGM Joomla! Gallery Manager
<= v0.96p1





mod_whosonlinext
<= 1.0.1BETA




mosIPN (update functionality)





mosLookUp
<= 050




mospjirc
<= 2.1.2




MyLinks
<=1.3




myPMS enhanced
<=




Letterman Newsletter
<= 1.2.1




peoplebook
<= 1.1.6.




perForms
<= 1.1.1.




Pony Gallery
<= 1.5.0.




puarcade
<= 1.4.
Update to 1.5



recommended
<= 2.3.
Update to 2.4



Ricettario
<= 1.0.
Update to 1.02



RSGallery2
<= 1.11.6.
Update to 1.11.7



SimpleFAQ

http://forum.joomla.org/index.php/topic ... #msg460208



speedtest (backend)
<= 020




swMenuFree
<= 4.0




xfaq
<= 1.2




z00m Media Gallery
<= 2.5.1 RC2
Update to zOOm Media Gallery 2.5.1 Release Candidate 2 Weekly Build 2b




Notice: this is a non-complete and changing list. If you find a component that doesn't work, please send me a private message (include component name and used version).

If you have any component that does not work because of this, report them to me by PM or email.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 5:22 am
by infograf768
Which version of Facileforms were you cracked through?
146 was the latest security release end of June and Facileforms is not listed in our Vunerable components' list.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Thu Aug 17, 2006 6:50 am
by Websmurf
Yeah, it was an old version. But the hack would never have worked if Joomla wasn't emulating register globals (for they are off by default on my server)

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 8:05 am
by Robin
Adam,

Thanks for the heads up, I have put this uner the attention of the dev's. Also with regards to your topic  where Beat actually suggests to move this emulation setting elsewhere.

Regards Robin

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 9:36 am
by tijs
Thanks for confirming this, I've just gone through 15 of my websites and set it to off.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 1:08 pm
by pe7er
Thanks Adam!
RobInk wrote:[..]Also with regards to your topic  where Beat actually suggests to move this emulation setting elsewhere.
move that setting to configuration.php ? I realized that should have read Adam's message better: I was looking in configuration.php, while he clearly wrote globals.php, which is btw another file located in the root of the site.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Thu Aug 17, 2006 2:23 pm
by mauri
Is there 3rd Party components/mambots, using Joomla emulating register globals.
If there is , so those component dont´t work anymore with define( 'RG_EMULATION', 0 ); ???

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 2:29 pm
by pe7er
mauri wrote:Is there 3rd Party components/mambots, using Joomla emulating register globals.
That's possible indeed, but I do not know any example.
I would use define( 'RG_EMULATION', 0 ); and then test all extensions on the site to see if they are working correctly.

Personally I do not want any 3rd party extension that needs "Register Globals = ON" in any of my Joomla sites...

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 7:01 pm
by MarHaj
I am affraid that Joomlaboard belongs to those component that do not work with RG_EMULATION set to 0. At the least on my site... :'(

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 7:13 pm
by jazmac
I'll second Joomlaboard (1.1.2) having problems w/RG emulation. I lost the ability to post messages. (Thanks for the heads up MarHaj. I hadn't gotten that far in testing.)

I also have a slight problem with Community Builder (1.0.1). The navigation on the user list (next, 1, 2, 3, etc) will only return the 1st page, even though the link's correct. I posted that issue over at Joomlapolis. All other CB functionality that I'm using seems to work fine.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Thu Aug 17, 2006 9:48 pm
by Beat
jazmac wrote: I'll second Joomlaboard (1.1.2) having problems w/RG emulation. I lost the ability to post messages. (Thanks for the heads up MarHaj. I hadn't gotten that far in testing.)

I also have a slight problem with Community Builder (1.0.1). The navigation on the user list (next, 1, 2, 3, etc) will only return the 1st page, even though the link's correct. I posted that issue over at Joomlapolis. All other CB functionality that I'm using seems to work fine.
Confirming CB 1.0.1 (and previous versions) problem with that front-end users-lists pager function. Problem found and fix-proposal ready for your tests (emailed and PMed you on Joomlapolis).

Looking now into the JoomlaBoard problem.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 12:36 am
by crash777
...so since nothing but my first page in the community builder list is working is it safe to assume that CB uses RG emulation? If not, why would the user list break?

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 12:58 am
by Beat
Ok, regarding JoomlaBoard 1.1.2, I didn't do a full analysis, but this quick fix helps quite far:

in begining of components/com_joomlaboard/joomlaboard.php replace:

Code: Select all

$catid  = mosGetParam ( $_GET, 'catid' , '' );
$Itemid = mosGetParam ( $_GET, 'Itemid', '' );
$func   = mosGetParam ( $_GET, 'func'  , '' );
//If they're not put in with get requests, try post requests else default to value given
if ($catid  == '' ) $catid  = mosGetParam ( $_POST, 'catid' , '0'      );
if ($Itemid == '' ) $Itemid = mosGetParam ( $_POST, 'Itemid', '1'      );
if ($func   == '' ) $func   = mosGetParam ( $_POST, 'func'  , 'listcat');
by:

Code: Select all

$catid  = mosGetParam ( $_GET, 'catid' , '' );
$Itemid = mosGetParam ( $_GET, 'Itemid', '' );
$func   = mosGetParam ( $_GET, 'func'  , '' );
if (isset($_GET["id"])) $id  = mosGetParam ( $_GET, 'id' , '' );				//BBTEMPFIX
if (isset($_GET["do"])) $do  = mosGetParam ( $_GET, 'do' , '' );				//BBTEMPFIX
if (isset($_GET["replyto"])) $replyto  = mosGetParam ( $_GET, 'replyto' , '' );	//BBTEMPFIX
if (isset($_GET["page"])) $page  = mosGetParam ( $_GET, 'page' , '' );	//BBTEMPFIX
if (isset($_GET["sel"])) $sel  = mosGetParam ( $_GET, 'sel' , '' );	//BBTEMPFIX
if (isset($_GET["userid"])) $userid  = mosGetParam ( $_GET, 'userid' , '' );	//BBTEMPFIX
if (isset($_GET["pid"])) $pid  = mosGetParam ( $_GET, 'pid' , '' );	//BBTEMPFIX
if (isset($_GET["view"])) $view  = mosGetParam ( $_GET, 'view' , '' );	//BBTEMPFIX
if (isset($_GET["resubject"])) $resubject  = mosGetParam ( $_GET, 'resubject' , '' );	//BBTEMPFIX
if (isset($_GET["rowid"])) $rowid  = mosGetParam ( $_GET, 'rowid' , '' );	//BBTEMPFIX
if (isset($_GET["rowItemid"])) $rowItemid  = mosGetParam ( $_GET, 'rowItemid' , '' );	//BBTEMPFIX
//If they're not put in with get requests, try post requests else default to value given
if ($catid  == '' ) $catid  = mosGetParam ( $_POST, 'catid' , '0'      );
if ($Itemid == '' ) $Itemid = mosGetParam ( $_POST, 'Itemid', '1'      );
if ($func   == '' ) $func   = mosGetParam ( $_POST, 'func'  , 'listcat');
if (!isset($id)      		&& isset($_POST["id"]))      		$id      		= mosGetParam ( $_POST, 'id'  , '');		 //BBTEMPFIX
if (!isset($do)      		&& isset($_POST["do"]))      		$do      		= mosGetParam ( $_POST, 'do'  , '');		 //BBTEMPFIX
if (!isset($replyto) 		&& isset($_POST["replyto"])) 		$replyto 		= mosGetParam ( $_POST, 'replyto'  , ''); //BBTEMPFIX
if (!isset($parentid) 		&& isset($_POST["parentid"])) 		$parentid 		= mosGetParam ( $_POST, 'parentid'  , ''); //BBTEMPFIX
if (!isset($action) 		&& isset($_POST["action"])) 		$action 		= mosGetParam ( $_POST, 'action'  , ''); //BBTEMPFIX
if (!isset($contentURL) 	&& isset($_POST["contentURL"])) 	$contentURL 	= mosGetParam ( $_POST, 'contentURL'  , ''); //BBTEMPFIX
if (!isset($sb_authorname) 	&& isset($_POST["sb_authorname"])) 	$sb_authorname 	= mosGetParam ( $_POST, 'sb_authorname'  , ''); //BBTEMPFIX
if (!isset($email) 			&& isset($_POST["email"])) 			$email 			= mosGetParam ( $_POST, 'email'  , ''); //BBTEMPFIX
if (!isset($subject) 		&& isset($_POST["subject"])) 		$subject 		= mosGetParam ( $_POST, 'subject'  , ''); //BBTEMPFIX
if (!isset($topic_emoticon) && isset($_POST["topic_emoticon"])) $topic_emoticon = mosGetParam ( $_POST, 'topic_emoticon'  , ''); //BBTEMPFIX
if (!isset($message) 		&& isset($_POST["message"])) 		$message 		= mosGetParam ( $_POST, 'message'  , ''); //BBTEMPFIX
if (!isset($subscribeMe)	&& isset($_POST["subscribeMe"])) 	$subscribeMe 	= mosGetParam ( $_POST, 'subscribeMe'  , ''); //BBTEMPFIX
if (!isset($attachimage)	&& isset($_FILES['attachimage']))	$attachimage	= mosGetParam ( $_FILES['attachimage'], 'name', ''); //BBTEMPFIX
if (!isset($attachfile)		&& isset($_FILES['attachfile']))	$attachfile		= mosGetParam ( $_FILES['attachfile'], 'name', ''); //BBTEMPFIX
if (!isset($sb_thread)		&& isset($_REQUEST["sb_thread"]))	$sb_thread	 	= mosGetParam ( $_REQUEST, 'sb_thread'  , '');  //BBTEMPFIX
if (!isset($thread)			&& isset($_REQUEST["thread"]))		$thread			= mosGetParam ( $_REQUEST, 'thread'  , '');  //BBTEMPFIX
if (!isset($markaction)		&& isset($_POST["markaction"])) 	$markaction 	= mosGetParam ( $_POST, 'markaction'  , '');  //BBTEMPFIX
using a simple text editor or a file-editor in your website control-panel or JoomlaXplorer extension.
This allows to browse from forum to threads list and from threads list to thread, as well as to type and send post reply, as well as edit a post.
I didn't test everything and didn't do a security review of JoomlaBoard itself, but could someone please test and post test-results quickly ?

Bug Artifact created for JoomlaBoard here:
http://forge.joomla.org/sf/tracker/do/v ... s/artf5660

(CB quick fix following in next post)

EDIT: added above for threads page browsing and correct latest posts timeframe selection:
if (isset($_GET["page"])) $page  = mosGetParam ( $_GET, 'page' , '' ); //BBTEMPFIX
if (isset($_GET["sel"])) $sel  = mosGetParam ( $_GET, 'sel' , '' ); //BBTEMPFIX

EDIT added above:
if (!isset($sb_thread) && isset($_REQUEST["sb_thread"])) $sb_thread = mosGetParam ( $_REQUEST, 'sb_thread'  , '');  //BBTEMPFIX
if (!isset($thread) && isset($_REQUEST["thread"])) $thread = mosGetParam ( $_REQUEST, 'thread'  , '');  //BBTEMPFIX

EDIT: added then CHANGED above:
if (!isset($subscribeMe) && isset($_POST["subscribeMe"])) $subscribeMe = mosGetParam ( $_POST, 'subscribeMe'  , ''); //BBTEMPFIX
if (!isset($attachimage) && isset($_FILES['attachimage'])) $attachimage = mosGetParam ( $_FILES['attachimage'], 'name', ''); //BBTEMPFIX
if (!isset($attachfile) && isset($_FILES['attachfile'])) $attachfile = mosGetParam ( $_FILES['attachfile'], 'name', ''); //BBTEMPFIX

EDIT: added above:
if (isset($_GET["userid"])) $userid  = mosGetParam ( $_GET, 'userid' , '' ); //BBTEMPFIX
if (isset($_GET["pid"])) $pid  = mosGetParam ( $_GET, 'pid' , '' ); //BBTEMPFIX
if (!isset($markaction) && isset($_POST["markaction"])) $markaction = mosGetParam ( $_POST, 'markaction'  , '');  //BBTEMPFIX

EDIT: added above:
if (isset($_GET["view"])) $view  = mosGetParam ( $_GET, 'view' , '' ); //BBTEMPFIX

EDIT: added above:
if (isset($_GET["resubject"])) $resubject  = mosGetParam ( $_GET, 'resubject' , '' ); //BBTEMPFIX
if (isset($_GET["rowid"])) $rowid  = mosGetParam ( $_GET, 'rowid' , '' ); //BBTEMPFIX
if (isset($_GET["rowItemid"])) $rowItemid  = mosGetParam ( $_GET, 'rowItemid' , '' ); //BBTEMPFIX

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 1:10 am
by jazmac
That did it. Joomlaboard fix works great. Much appreciated!

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 1:24 am
by m42
Works over here too.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Fri Aug 18, 2006 2:25 am
by Beat
Community Builder 1.0.2 is fully compatible with RG_EMUL off. Please update all previous Community Builder installations to 1.0.2, as it hardens also security.

OBSOLETE NOT ADVISED FIX:
Quick fix for CB 1.0.1 (we will integrate nicer, already tested, fix in next release):

in begining of components/com_comprofiler/comprofiler.php add:

Code: Select all

$limitstart  = (int) mosGetParam ( $_REQUEST, 'limitstart' , null );   //BBTEMPFIX
$search  = mosGetParam ( $_REQUEST, 'search' , null );   //BBTEMPFIX
just after:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
Edit: changed $_GET to $_REQUEST : the users search is a POST not a GET...
Edit: CB 1.0.2 added, obsoleted temporary fix.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 3:13 am
by jazmac
Beat's my new hero!  :-* Worked like a charm.

crash777, I can't answer your question, but try this. Worked great for me.

Off to (hopefully) lock down my sites. Thanks all!

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Fri Aug 18, 2006 10:20 am
by althoffm
mauri wrote: Is there 3rd Party components/mambots, using Joomla emulating register globals.
If there is , so those component dont´t work anymore with define( 'RG_EMULATION', 0 ); ???
As it seems Akoforms needs the define( 'RG_EMULATION', 1 );

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Fri Aug 18, 2006 5:53 pm
by luckyluca
Marketplace stopped working too after i made the changes.. anyone know a way to fix this??

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Fri Aug 18, 2006 7:26 pm
by tomyam
Beats - Joomlaboard fix works almost for me.
Unfortunately I have a problem now when trying to make a "reply" or "quote" a post, it does not want to create a reply/quote but instead it creates a new topic.
Edit post works..

Anyone else with same problem?

Running -
Joomla 1.0.10
VirtueMart 1.0.6
CB 1.0.1
Joomlaboard 1.1.2 + Beats temp fix

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Sat Aug 19, 2006 12:10 am
by dsendecki
luckyluca wrote: Marketplace stopped working too after i made the changes.. anyone know a way to fix this??
I'm in  the same boat? Any suggestions anybody?

Dan

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Sat Aug 19, 2006 9:40 am
by mephistophele
Akobook doesn't work with RG_EMULATION at 0.... only to me?  :(

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Sat Aug 19, 2006 3:47 pm
by Beat
tomyam wrote: Beats - Joomlaboard fix works almost for me.
Unfortunately I have a problem now when trying to make a "reply" or "quote" a post, it does not want to create a reply/quote but instead it creates a new topic.
Edit post works..

Anyone else with same problem?

Running -
Joomla 1.0.10
VirtueMart 1.0.6
CB 1.0.1
Joomlaboard 1.1.2 + Beats temp fix
I'm running now http://www.joomlapolis.com/ with emulated register globals off and reply and quote work ok there (with my JB patch above).

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Sat Aug 19, 2006 7:39 pm
by MarHaj
tomyam wrote: Beats - Joomlaboard fix works almost for me.
Unfortunately I have a problem now when trying to make a "reply" or "quote" a post, it does not want to create a reply/quote but instead it creates a new topic.
Edit post works..

Anyone else with same problem?

Running -
Joomla 1.0.10
VirtueMart 1.0.6
CB 1.0.1
Joomlaboard 1.1.2 + Beats temp fix
I/m running Joomla 1.0.10, Joomlaboard 1.1.2. Beats fix works well for me, i.e. no problem with quotes or replies...

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Sat Aug 19, 2006 9:04 pm
by luckyluca
Thank you!! the Joomlaboad fix worked for me... Now I am despreately lookig for a similar fix for my Marketplace component.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Sun Aug 20, 2006 7:19 am
by tomyam
It is and was off in the global.ini setting,

Code: Select all

 * Use 0 to emulate regsiter_globals = off
 */
define( 'RG_EMULATION', 0 );
My site is - TDA - Thailand Darts Association www.tdadarts.com

Other suggestions most welcome.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Mon Aug 21, 2006 3:38 am
by tyler
Beat wrote: I'm running now http://www.joomlapolis.com/ with emulated register globals off and reply and quote work ok there (with my JB patch above).
Beat, you might wanna personally test out the akocomments on Joomlapolis after setting RG to off.  It doesn't work for me (yates) on your site.

I've also notice on my own test server that akocomment doesn't work w/Joomla RG emulation off.  It causes an access error, similar to what I got on your site through akocomment.  This happens after a user tries to post a comment.

Anyway, I implemented your two RG hotfixes for Joomlaboard and CB 1.0.1 and they worked like a charm w/Joomla's RG emulation off.  (JB quotes, replies, CB userlist pagination... all of it)

Thanks for those fast fixes, and if you're able to figure a hotfix for akocomment, I think both of our sites will be locked down w/o loss of previous functionality :)

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Mon Aug 21, 2006 1:23 pm
by MarHaj
I do confirm there is problem with AkoComent. :'(
I am running the tweaked version of it and cannot post comments with RG emulation on. Tested several times.

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!

Posted: Mon Aug 21, 2006 1:48 pm
by mephistophele
yes... even if it seems ok... after i post something, there is nothing written... with akobook...  :-\

Re: !!! Don't forget to turn off register global emulation of Joomla as well !!!!

Posted: Mon Aug 21, 2006 5:07 pm
by arnold
.