Internal Server Error

Million Dollar Script Forums Installation Internal Server Error

This topic contains 12 replies, has 2 voices, and was last updated by  Ryan 4 years, 9 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #887

    Ian
    Participant

    I’m getting this message after clicking the ‘write your add’ button (after uploading an image on the front end as a user):


    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    If anyone knows what the cause of this may be i’d be very grateful for any info.

    #888

    Ian
    Participant

    UPDATE:

    I changed the permissions on the write_ad.php file and it now goes throught to write a title.

    when submitting the title/extra image however i am now getting;

    Forbidden

    You don’t have permission to access /newcastle/users/write_ad.php on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    #889

    Ryan
    Keymaster

    Are you able to check your web servers error log file and see if there is an error that shows up at the same time?

    #890

    Ian
    Participant

    hi ryan, got this from hosting;


    This is due to the web app submitting data that is completely unencoded, and that contains a string that is commonly used in remote file injection attacks. Please contact the developer and ask them to improve their form handling to eliminate this issue.

    The other option is to disable mod security for this account, and expose the site to the internet unprotected – or find another script that encodes form data before submitting it.

    Regards

    –b6341d1d-A–
    [10/Dec/2012:15:20:56 +0000] UMX9101IBEIAChhZkwsAAAAT 86.145.125.144 51798 77.72.4.66 8888
    –b6341d1d-B–
    POST /newcastle/users/write_ad.php HTTP/1.0
    Host: bizzer.co.uk
    X-Real-IP: 86.145.125.144
    X-Forwarded-For: 86.145.125.144
    Connection: close
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    Cookie: PHPSESSID=8d8a225f88ad1ab72da10a3c8d7f7f02
    Referer: http://bizzer.co.uk/newcastle/users/write_ad.php
    User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/4.1.3 Safari/533.19.4
    Origin: http://bizzer.co.uk
    Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary0fQQdWhmRgQqbk8j
    Content-Length: 941

    –b6341d1d-I–
    mode=edit&ad%5fid=&user%5fid=8d8a225f88ad1ab72da10a3c8d7f7f02&order%5fid=&banner%5fid=1&1=edot3&2=http%3a%2f%2fedot3%2eco%2euk&save=1
    –b6341d1d-F–
    HTTP/1.1 403 Forbidden
    Content-Length: 349
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    –b6341d1d-H–
    Message: Access denied with code 403 (phase 2). Match of “beginsWith http:/%{SERVER_NAME}/” against “MATCHED_VAR” required. [file “/usr/local/apache/conf/modsec_rules/10_asl_rules.conf”] [line “486”] [id “340162”] [rev “257”] [msg “Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt in ARGS (AE)”] [data “http:/”] [severity “CRITICAL”]
    Apache-Error: [file “core.c”] [line 3706] [level 3] File does not exist: /home/bizzer/public_html/403.shtml, referer: http://bizzer.co.uk/newcastle/users/write_ad.php
    Action: Intercepted (phase 2)
    Stopwatch: 1355152855993248 58343 (- – -)
    Stopwatch2: 1355152855993248 58343; combined=4615, p1=368, p2=4235, p3=0, p4=0, p5=11, sr=177, sw=1, l=0, gc=0
    Producer: ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/).
    Server: Apache

    –b6341d1d-Z–

    Regards

    Steve Sant

    Krystal Hosting Ltd

    #891

    Ian
    Participant

    I replied and asked if disabling the security was something we could do and got;

    Hi Ian,

    We can disable mod_sec if you want, it’s a bit risky though – your choice!

    Regards,

    Tom Mason

    The site is at http://bizzer.co.uk/newcastle

    #892

    Ian
    Participant

    Could this just be Krystal hostings massive extra security at play?

    #893

    Ryan
    Keymaster

    I wouldn’t disable mod_security. It helps protect your site from attacks.

    I know this script needs some fixing up which is what I have been doing slowly but surely in the devopment version. I will do some work on it today.

    #898

    Ian
    Participant

    After getting my most Genius developer onto it, he has give up. Does this thing actually work, i notice you dont have a demo – why not?

    Im now asking the hosting to turn off security on the account to see what happens.

    If this does not work then could you let me know of some hosting where this will defo work please?

    #899

    Ian
    Participant

    Ok, could you get our site up and running? If so how much wold you need?

    I’m doing this as a joint venture with a local charity (http://little-wings.org/) for nothing but they will have to pay if it takes it to get it going.

    #900

    Ryan
    Keymaster

    I am working on it at the moment. I wouldn’t recommend disabling security on your site. If the script is insecure it needs fixed. And disabling mod_security is probably not the best way to fix the problem.

    I took over development of this project awhile ago and have been slowly going through the code making improvements in my spare time. I have been busy but I still have been working on it now and then. I don’t have a demo because I was not finished updating it yet. Everything I have done is in the development snapshot. The other download is the original file before I started working on it. I plan to eventually convert it into a Joomla extension and I occasionally work on that code as well but it is nowhere near complete so I am just making improvements to the existing code to try and get a more secure and stable release ready.

    It wouldn’t surprise me if there are security issues as it is quite old but if there are I want to fix them. So I am working on it right now. I am also going to test it with mod_security on and fix the issue you mentioned.

    Feel free to donate using the donate box on the left side of the site but I don’t ask for money to develop this. It’s a free, open-source project. However, I do charge $50 for script installations. But it sounds like you already have your script installed so the problem is within the code and I will fix it as I have time. I am working on it right this moment. =)

    #901

    Ryan
    Keymaster

    Ok I have done this. It wasn’t a security issue, just a false positive that was triggering mod_security. Once I got mod_security on I was able to test that it fixes it.

    Basically it doesn’t like the http:// being submitted to the form so I moved it out of the input so they just have to enter theirdomain.com instead of the full http:// theirdomain.com.

    I found another bug that prevents us from editing the form fields which I am going to fix next. But until then you could just remove it from your database directly if you are familiar with phpMyAdmin or if your host has some other method of editing the database you can use.

    If you want to do this by editing the database directly all you have to do is edit the form_field table and remove the http:// from the field_init column for the URL so that it’s empty. Then you have to apply the patches to the files I linked to below.

    If you would rather wait for me to fix the form editing bug you can just edit the form and remove the http:// from the initial value field and I can explain that more detailed if you like once I fix the bug if you go that route.

    If you are using the dev snapshot you can update these files or if you are using the original version you can manually patch them. The changes are shown here: http://tinyurl.com/bxlty6p

    and then a little css change I forgot to add:
    http://tinyurl.com/amttxx3

    #902

    Ian
    Participant

    Thanks – a lot of this is over my head i’m afraid. If i can get the $50 from the charity for you can you install the script again and have it working? sorry if ive missed the point of what you are saying.

    #903

    Ryan
    Keymaster

    I am saying you just have to change your files with the changes shown on those pages. Red lines mean take it away, green lines mean add it in, white lines are just for referencing the location in the code because the line numbers might not be the same if you are on a different version.

    You can basically double click the green lines to select them then copy it and paste it in place of the red lines which you should find in your code. There are only 3 or 4 files changed and maybe 6 or 7 lines total to change and a few to add into the css at the end.

    If you want more help then that feel free to email me your info. Don’t paste it on the forum.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.