Marco's SQL Injection - LFI Interceptor plugin Topic is solved

This forum is for general questions about extensions for Joomla! 3.x.

Moderators: pe7er, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
John666
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 138
Joined: Sat Mar 07, 2009 5:27 pm

Marco's SQL Injection - LFI Interceptor plugin

Post by John666 » Sat Apr 13, 2019 3:07 pm

I have used this plugin very successfully on 4 Joomla sites for some years, and have been very satisfied with it. However, I recently had an unusual problem that I cannot understand.

All my Joomla 3.9.5 sites all rununder PHP 7.2.17 and use the latest version 1.6 of the Marco's plugin. Three of sites are on one server, and one is on a different server. The one on the different server is the site that has experienced the following problem.

After several years of perfect operation, and for no reason apparent to me, I was suddenly blocked from the site - no admin panel access, no cpanel access and no access to the front end. The error message given on the front end can be seen in the attached image. I eventually accessed the site using login detains from another superadmin and disabled the Marco's plugin. Everything then returned to normal.

Any thoughts on what might be happening would be appreciated.
You do not have the required permissions to view the files attached to this post.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26138
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Per Yngve Berg » Sat Apr 13, 2019 3:58 pm

The plugin is not compatible with the version of php.

John666
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 138
Joined: Sat Mar 07, 2009 5:27 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by John666 » Sat Apr 13, 2019 4:26 pm

Thanks for the reply - valuable information. Please could you tell me where you found that information.

So am I just "getting away with it" on the other 3 sites on another server?

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1003
Joined: Sat Aug 13, 2011 6:27 am

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Slackervaara » Sat Apr 13, 2019 4:52 pm

Take a look at this post. Can be easy to change the code right:
viewtopic.php?t=956778

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37463
Joined: Sat Apr 05, 2008 9:58 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Webdongle » Sat Apr 13, 2019 5:34 pm

Use Marco's sql plugin 1.6 on a site php 7.2.17 no problem
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

John666
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 138
Joined: Sat Mar 07, 2009 5:27 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by John666 » Sat Apr 13, 2019 6:10 pm

Thanks to all. Yes, I am using v 1.6 on three sites without any problem. But ona fourth site on a different server there are serious issuses.

The code is indeed easy to alter once you have the information. The change is:

Change the constructor:
open plugins/system/marcosinterceptor/marcosinterceptor.php
and change line 15 from
function plgSystemMarcos interceptor( &$subject, $config ){
to
function __construct( &$subject, $config ){

(Thanks to the author of this change for making this code available.)

Great, all fixed!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37463
Joined: Sat Apr 05, 2008 9:58 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Webdongle » Sat Apr 13, 2019 6:45 pm

So the problem was in the plugin or the problem was the server and the plugin was altered to match the server?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

John666
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 138
Joined: Sat Mar 07, 2009 5:27 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by John666 » Sat Apr 13, 2019 6:59 pm

I'm not too sure but it seems to be the case that the server where the problem was experienced is less tolerant of warnings regarding imperfect code - which nevertheless works. If you look at the plugin on the Joomla extensions directory - at the bottom - there are a number of comments regarding this issue. It may also depend on the version of php used - I am using php 7.2.17 (on both servers).

Sorry I can't tell you more - I don't fully understand this myself. But I can tell you that the fix does work.

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8051
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by sozzled » Sat Apr 13, 2019 7:02 pm

@Webdongle: here's a hint.

Whenever we read in an error message "Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; <extension> has a deprecated constructor in <filename> on line n" it's a tell-tale sign that the website is using PHP 7.x. It is also a sign that the <extension> was written for PHP 5.

While this error, itself, may not necessarily be fatal and the <extension> is unable to complete execution, the failure to complete running the <extension> may be a dependency for something else—something really important—(e.g. session management) to happen. It's that "other" thing that causes everything to go pear-shaped.

So, the problem starts with software designed in a particular way—in a way that was acceptable if the website used PHP 5—and when that software hits a brick wall when the website environment changes to use PHP 7. It's not a "server thing", per se. One can spend a few hours (as I have done) reading the PHP manual.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37463
Joined: Sat Apr 05, 2008 9:58 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Webdongle » Sat Apr 13, 2019 7:37 pm

@sozzled here is my conundrum
I also have a site running on php 7.3.3 and marco's interceptor 1.6 but that does not show the code in 1.6 as deprecated. And runs OK
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1003
Joined: Sat Aug 13, 2011 6:27 am

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Slackervaara » Sat Apr 13, 2019 7:57 pm

What about error reporting?

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8051
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by sozzled » Sat Apr 13, 2019 8:09 pm

As @Slackervaara writes, these warning may not necessarily appear on a web page as see in the screenshot image in the OP but they're probably being logged in the error_log (and you'll see the error_log file grow in size over time) especially if you have the error reporting level set above "None". I can't say what happens with this particular extension. I can comment in relation to several other extensions I've used and the symptoms in the OP's case indicate the same cause (if not with that extension). Make sense?

A lot of these PHP 7 incompabilities lie undetected (as far as we humans are concerned) while the site logs them in the error_log. ;)

Perhaps the version of Marco's SQL Injection - LFI Interceptor plugin is not what the OP thought it was? I can't say. Further, the listing on the JED (shows v 1.4) has not been updated in five years and the JED says that the extension doesn't use the Joomla update mechanism. According to the developer's website, v1.6 was released 3½ years ago (in November 2015) which pre-dates PHP 7. (PHP 7.0 was released in December 2015)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37463
Joined: Sat Apr 05, 2008 9:58 pm

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by Webdongle » Sat Apr 13, 2019 8:30 pm

So as deprecated code can be legitimately used something on the server was preventing being used. Therefore there was nothing wrong with the code as such ... but it had to be changed to to work on the server (or with other software) because the legitimate code was prevented from working.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8051
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Marco's SQL Injection - LFI Interceptor plugin

Post by sozzled » Sat Apr 13, 2019 8:35 pm

Yeah ... kind of. There's nothing wrong with using crappy code. That's a choice that people can make. On the other hand, every time that piece of code is executed, it'll fail and (depending on the error reporting level) each failure will be logged in the error_log. And the error_log will grow over time. And, of course, unless you tell your backup service to not backup this file, that file will be added to the backup (and, of course, that's extra work).

Better to fix up the bad PHP (takes a few moments) than leave it hanging around for a "gotcha" moment, eh?
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)


Post Reply

Return to “Extensions for Joomla! 3.x”