Jump to content

PHP 5.2.17 Problems with V3.0.20


Guest lolichka

Recommended Posts

Guest lolichka

Hi All,

Has anyone successfully got their modules working in the admin area with PHP 5.2.17 running?

I was working on my site last night and purchased some mods for my store... now since logging in this morning to get them configured I cannot configure them, that is a blank page crops up everytime I click on "configure"... Also noted is that any of the default modules if I wanted to configure them I can't... just a blank page when I click on "configure"

I've since been in contact with my host who advised me that their server was upgraded to 5.2.17 a few weeks ago.... and they have plans to upgrade to 5.3 in October

If there is a fix for this, is there anyone willing to share the fix please???

Upgrading to CC4 isn't an option for me at the moment - i'm a small home based hobbyist and the funds to do that just aren't there)... i've invested alot of money into my site with mods and mods and mods and to have it all fall in a heap because It doesn't work with 5.2.17 is short of tearful for me...

Thanks for your help...

Lol

Link to comment
Share on other sites

Ok, working on your store "last night" while your host upgraded their PHP installation "a few weeks ago" presents a serious doubt that the version of PHP is causing the problem.

If you were installing the mods last night, then maybe one or more of the mods was not installed correctly.

When you say "when I click on configure", is this any one of the several configure links on the page that lists all available modules of that type (the list of shipping modules, the list of 3rd Party modules, etc)?

A blank page is very indicative of a PHP syntax error. In a production environment, it is generally not a good idea not to expose the errors back to the browser, but to rely on looking at the php.error log.

It will take just a bit of detective work to find where the PHP is stopping.

We can help you do this.

Link to comment
Share on other sites

Guest lolichka

Ok, working on your store "last night" while your host upgraded their PHP installation "a few weeks ago" presents a serious doubt that the version of PHP is causing the problem.

If you were installing the mods last night, then maybe one or more of the mods was not installed correctly.

When you say "when I click on configure", is this any one of the several configure links on the page that lists all available modules of that type (the list of shipping modules, the list of 3rd Party modules, etc)?

A blank page is very indicative of a PHP syntax error. In a production environment, it is generally not a good idea not to expose the errors back to the browser, but to rely on looking at the php.error log.

It will take just a bit of detective work to find where the PHP is stopping.

We can help you do this.

Hello :-D

I had already installed Estelles Contact Form mod and had that working all ok.

I purchased Milos's mod express checkout and was installing that last night. All went ok with the install apart from when I went into configure the mod via the admin panel. This is when I received the blank page after clicking on "Configure".

OddlyAfter pulling my hair out last night and this morning, I went to check whether this blank page problem was on another site of mine (different domain but same server).

Unfortunalty this problem was on that site too but no changes have been made to that site... which makes me think it is something server side since the php upgrade??

Since then and this morning/afternoon/evening... I have completely deleted all files both php and server based off the site that wasn't working did a fresh re-install of Cv3.0.20.

Before uploading the new site, I edited the file following this thread http://www.cubecartforums.org/index.php?showtopic=15469 and uploaded/did a fresh install.... but unfortunately that blank page is still there when i click on "configure" within the modules area...

So yes, when I say click on 'configure' they are the links that reside within the modules area where you see the 3rd party link, gateway link, shipping link etc.

Happy to do detective work too...

where would I look for the php.error log or do I need to ask my host for that?

Also, In the log file, what specifically should I be looking for?

Thanks,

Lol

Link to comment
Share on other sites

If your host has set you up completely, you will have several log files available: web stats, php errors, sql errors, etc. If you have php error logs, it will be in a folder named for such files.

Specifically, you would be looking for anything other than warnings, as an example:

PHP Parse error: syntax error, unexpected $end in \includes\content\viewProd.inc.php on line 249

Link to comment
Share on other sites

Guest lolichka

If your host has set you up completely, you will have several log files available: web stats, php errors, sql errors, etc. If you have php error logs, it will be in a folder named for such files.

Specifically, you would be looking for anything other than warnings, as an example:

PHP Parse error: syntax error, unexpected $end in \includes\content\viewProd.inc.php on line 249

Hi,

thanks for the reply. I've sent a request off to my host as I was not able to locate these within Cpanel so I await their reply. I shall keep you posted :-D

Cheers,

Lol

Link to comment
Share on other sites

Guest lolichka

If your host has set you up completely, you will have several log files available: web stats, php errors, sql errors, etc. If you have php error logs, it will be in a folder named for such files.

Specifically, you would be looking for anything other than warnings, as an example:

PHP Parse error: syntax error, unexpected $end in \includes\content\viewProd.inc.php on line 249

My host is being an ass! This is the response from them:

"These are not logged in traditional locations. in fact, they're rarely logged at all. We have provided you with the logs that can be provided."

So basically, they do not log for customers php error or sql error log files and don't have any inclination to want to help either and the logs they do provide are next to useless. Not a very helpful host now IMO.

Is there any other way of being able to 'debug' cubecart to see any errors?

Thanks,

Lol

Link to comment
Share on other sites

In CubeCart 3, not any easy way. (CubeCart 4 apparently has a Debug feature.)

The easiest way from your perspective is to acquire the services of someone who has done this type of thing hundreds of times. (You can post a request for assistance in the Hire a Programmer forum over at www.cubecartforums.org. Or, just send a Private Message to someone who you think seems trustworthy.) Let that person have at the installation.

Or, we can work through a very slow and painful process of making suggestings where to put a die() function in the code and see if execution reached that point. If so, move the die() function to a point later in the sequence of things.

For example, in the file /admin/modules/shipping/Free_Shipping/index.php, find:

if(permission("settings","read")==FALSE){

	header("Location: ".$GLOBALS['rootRel']."admin/401.php");

	exit;

}

and add after: die("I got here!");

If your browser shows this, then the problem lies later in the code.

Link to comment
Share on other sites

Guest lolichka

In CubeCart 3, not any easy way. (CubeCart 4 apparently has a Debug feature.)

The easiest way from your perspective is to acquire the services of someone who has done this type of thing hundreds of times. (You can post a request for assistance in the Hire a Programmer forum over at www.cubecartforums.org. Or, just send a Private Message to someone who you think seems trustworthy.) Let that person have at the installation.

Or, we can work through a very slow and painful process of making suggestings where to put a die() function in the code and see if execution reached that point. If so, move the die() function to a point later in the sequence of things.

For example, in the file /admin/modules/shipping/Free_Shipping/index.php, find:

if(permission("settings","read")==FALSE){

	header("Location: ".$GLOBALS['rootRel']."admin/401.php");

	exit;

}

and add after: die("I got here!");

If your browser shows this, then the problem lies later in the code.

Thanks so much for the reply.

I've followed the above, saved, uploaded and gone into the free shipping module of the admin area and clicked on 'configure',... its still coming up with a blank page. Was I correct in clicking on the configure link once the changes were made/uploaded?

Should I go through the rest of the index page and where the end of the parenthesis "}" is, paste the die() function in there, re-upload and see how it goes? So in total i'd be making a total of 3 changes and each change individually upload and tested and if doesn't work move onto the next "}" after removing the previous die() ?? Gosh, hope that made sense! IF so, i've done that and all 3 individual changes made and uploaded all came up with blank pages once i'd clicked on the configure link? Please let me know if this is not what you mean by "If so, move the die() function to a point later in the sequence of things"

Thanks again :-D

Lol

Link to comment
Share on other sites

Guest lolichka

Hi Brian...

I just wanted to add the following findings...

After cracking it with my hosting provider and after doing some research into alternative hosts, I decided to go down the path of free hosts that offered PHP and mysql in order for me to try and understand where the issue lies... so I researched and found a free hosting provider and have signed up and successfully installed a 'dev' site of 3.0.20 of cubecart.

I have navigated to the modules area within the admin on the FREE site as this is the area that has been giving me grief and clicked on the "configure" link and have been able to SUCCESSFULLY configure the modules!!!!! I've gone through ALL of the modules as default (as it's a default site) and they all work!!!????????

So,... interesting times....

I have logged into cubecart on the FREE hosting site and note:

PHP Version: 5.2.17

MySQL Version: 5.0.81-community

** Please note that cubecart specifies this down as MySQL Version: 5.1.57** ???

CC Version: 3.0.20 - Default

I have logged into cubecart on my PAID hosting provider and note:

PHP Version: 5.2.17

MySQL Version: 5.0.92-community

CC Version: 3.0.20 - Default

The only difference I can see is in the MySQL versions NOT php which may explain why some folk who have posted on the forum that are running php 5.2.17 have not had any problems and some running 5.2.17 have had problems... perhaps IMO it is down to the MySQL version as being the culprit (folk have posted their php versions but not MySQL versions)????

Having said that... what are your thoughts on this or anyone else?

I am not a developer and by no stretch of the imagination make claim to knowing such nor understanding the intricacies of the finer details (but try as much as I can)... other than with the facts presented in front of me by the paid and free hosting providers... what are your thoughts asto MySQL version being the issue?

If you or others are perhaps able to comment (I know we are all busy people) it would be so greatly appreciated and I really do feel that this would probably answer questions for those folk having problems that have posted on the forum and haven't been resolved and/or those looking for solutions or resolution finding paths. Perhaps those problems have been resolved by others and just not posted but I am keen on posting findings to help the wider community. It's been frustrating the crapola out of me :-!

So please, if you... or the wider community can comment on the above specifically pertaining to MySQL versioning and ill effects of differences I can go back to my paid hosting provider and either cancel my account with them or I can work with them (if they are willing to) and they can keep my business...

Thanks so much everyone for reading the post, and especially Brian for providing your assistance... it really is appreciated...

Please add your comments...

Cheers,

Lol

btw Brian I can PM you URLs and details if you would like to see what I am on about

Link to comment
Share on other sites

"The only difference I can see is in the MySQL versions... perhaps it is the culprit?"

I seriously doubt a MySQL minor version difference would be the cause.

"I've edited the above, saved, uploaded and gone into the free shipping module of the admin area and clicked on 'configure',... its still coming up with a blank page. Was I correct in clicking on the configure link once the changes were made/uploaded?"

Yes. But since the malfunction is still happening, we need to move the die() statement to a point earlier in the code.

In that file, find:

include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");

require_once("../../../../classes/db.inc.php");

$db = new db();

include_once("../../../../includes/functions.inc.php");

$config = fetchDbConfig("config");

and add after:

die("After fetching config");

Upload this new version, click the Configure link for it, and see what happens.

Feel free to PM me whatever you want me to have.

Link to comment
Share on other sites

Guest lolichka

"The only difference I can see is in the MySQL versions... perhaps it is the culprit?"

I seriously doubt a MySQL minor version difference would be the cause.

"I've edited the above, saved, uploaded and gone into the free shipping module of the admin area and clicked on 'configure',... its still coming up with a blank page. Was I correct in clicking on the configure link once the changes were made/uploaded?"

Yes. But since the malfunction is still happening, we need to move the die() statement to a point earlier in the code.

In that file, find:

include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");

require_once("../../../../classes/db.inc.php");

$db = new db();

include_once("../../../../includes/functions.inc.php");

$config = fetchDbConfig("config");


and add after:

die("After fetching config");



Upload this new version, click the Configure link for it, and see what happens.



Feel free to PM me whatever you want me to have.

Hello, Thanks for the reply. I was really hoping for something as simple as a MySQL version difference being the culprit. If I go back to my paid hosting provider I am sure they will throw that back in my face re the SQL version difference... but happy to continue along this path... I've done as instructed above and clicked on "configure" within the modules area of admin and same blank page. So i've moved that die() statement further up (not sure if this is right)... hoping for something to happen. I got as far as pasting the die() statement after the below line of code:

I then saved, uploaded and clicked on "Configure" Free Shipping within the modules area of admin. In the browser I received the "After fetching config" message...

Is this what I am meant to see?

I'll send you a pm shortly too :-)

Thanks again,

Lol

include("../../../../includes/global.inc.php");

die("After fetching config");
Link to comment
Share on other sites

"Is this what I am meant to see?"

Yes, indeed! We are getting somewhere.

The problem lies between where the die() statement was and where it is now.

That means we are looking for the problem somewhere in here:

include_once("../../../../language/".$config['defaultLang']."/lang.inc.php");

$enableSSl = 1;

include_once("../../../../includes/sslSwitch.inc.php");

include("../../../includes/auth.inc.php");

include("../../../includes/header.inc.php");



if(permission("settings","read")==FALSE){

	header("Location: ".$GLOBALS['rootRel']."admin/401.php");

	exit;

}


But this collection of statements are used everywhere. So there must be something in one the included files that is specific to this area of the admin screens.



Next step is move the die() statement to between these two statements:
include("../../../includes/auth.inc.php");

include("../../../includes/header.inc.php");

die("I'm Authorized");

Link to comment
Share on other sites

Guest lolichka

"Is this what I am meant to see?"

Yes, indeed! We are getting somewhere.

The problem lies between where the die() statement was and where it is now.

That means we are looking for the problem somewhere in here:

include_once("../../../../language/".$config['defaultLang']."/lang.inc.php");

$enableSSl = 1;

include_once("../../../../includes/sslSwitch.inc.php");

include("../../../includes/auth.inc.php");

include("../../../includes/header.inc.php");



if(permission("settings","read")==FALSE){

	header("Location: ".$GLOBALS['rootRel']."admin/401.php");

	exit;

}


But this collection of statements are used everywhere. So there must be something in one the included files that is specific to this area of the admin screens.



Next step is move the die() statement to between these two statements:
include("../../../includes/auth.inc.php");

include("../../../includes/header.inc.php");


die("I'm Authorized");

Hello... and here I was gettling excited at a little progress LOL... but alas, since I edited the code as per your suggestion above, saved and uploaded the file and went into "configure" I have received the blank page. The only lines once the die() statement is moved work here:

they all showed a blank page.

Stumped where to go on this page now or should I look at another index.php page within one/all of the modules and follow the same process as within this post??

Cheers,

Lol

did u get my pm w/ the details?

die("I'm Authorized");

include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");




or here:




include("../../../../includes/ini.inc.php");

die("I'm Authorized");

include("../../../../includes/global.inc.php");




or here:




include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");

die("I'm Authorized");




Each of those three areas show the "I'm Authorized" message in the browser.  





I decided to paste the die()statement line by line going down the page, so from line 31: 




require_once("../../../../classes/db.inc.php");
 



to end of line 52:

 


$module = fetchDbConfig($_GET['folder']);
Link to comment
Share on other sites

Ok, please do the following as soon as possible:

Completely remove the entire installation of your CubeCart code at your paid dev site. (Your free site is not involved.)

Am I correct in thinking you have no other CC installation at your paid host?

More information will be sent in a Private Message.

Link to comment
Share on other sites

Guest lolichka

Ok, please do the following as soon as possible:

Completely remove the entire installation of your CubeCart code at your paid dev site. (Your free site is not involved.)

Am I correct in thinking you have no other CC installation at your paid host?

More information will be sent in a Private Message.

Hi,

Thanks for the reply. I have two sites at my paid host - separate domains, separate sites and separate stores but in a 'shared' hosting environment on the same named server. As noted in your PM, i've deleted the one in question and since re-installing everything a few times have several issues I am working on with my host. Cubecart for what ever reason is throwing MySQL access errors and I have a permission problem (step 4 states to check that /includes/global.inc.ini is set to 644, which it is but its not letting me past that step - so its not?) = now I can't proceed past step 4. So no idea if the server has had a kanuption somewhere. I've got the blank modules configuration link from admin happening still and i'm waiting on my host to get back to me re logs. It was escalated to management in the end so I will see if anything comes out of it.

Will keep you posted.

Cheers,

Lol

Link to comment
Share on other sites

So, before this line:

require_once("../../../../classes/db.inc.php");

you get a response from die(),

but after that line is the first place where nothing shows on the page?

In my testing, this works:

WEB_ADDRESS/dev/admin/modules/shipping/index.php

but this doesn't:

WEB_ADDRESS/dev/admin/modules/shipping/Free_Shipping/index.php

One more test in the index.php file that we have been working with:

Before this line:

require_once("../../../../classes/db.inc.php");

add this:

die(print_r($ini)." ".$glob['installed']);

Also, ask your host if open_basedir is in effect and has a limitation to "../../../../", also called a directory traversal of four parents.

Link to comment
Share on other sites

Guest lolichka

So, before this line:

require_once("../../../../classes/db.inc.php");

you get a response from die(),

but after that line is the first place where nothing shows on the page?

In my testing, this works:

WEB_ADDRESS/dev/admin/modules/shipping/index.php

but this doesn't:

WEB_ADDRESS/dev/admin/modules/shipping/Free_Shipping/index.php

One more test in the index.php file that we have been working with:

Before this line:

require_once("../../../../classes/db.inc.php");

add this:

die(print_r($ini)." ".$glob['installed']);

Also, ask your host if open_basedir is in effect and has a limitation to "../../../../", also called a directory traversal of four parents.

Hello,

1. Yes everything correct as per above.

2. I entered in the statement "die(print_r($ini)." ".$glob['installed']);" and received the following response in the browser "Array ( [ver] => 3.0.20 [CCver] => 30025 [bftime] => 600 [bfattempts] => 5 ) 1 1"

If you navigate to that url" WEB_ADDRESS/dev/admin/modules/shipping/Free_Shipping/index.php" you will see it there. I shall leave it as is until instructed otherwise.

Out of curiosity on point 2, what does "bf" relate to and their numeric values?

I've sent a reply to my escalated support request pasting your open_basedir/traversal of four parents question so await their reply.

Will keep you posted...

Thanks again :-D

Lol

Link to comment
Share on other sites

print_r() is a PHP function that prints the contents of variables. I wanted to see if the contents of ini.inc.php was getting picked up.

Array ( [ver] => 3.0.20 [CCver] => 30025 [bftime] => 600 [bfattempts] => 5 ) 1 1

CC version is 3.0.20

CC Build version is 30025

BruteForce Time Delay is 600 seconds

BruteForce Attempts is 5

Brute Force is designed to block repeated attempts within seconds of each other to access your site.

One of the 1's is saying that CC is installed and comes from the global.inc.php file.

Having these variables show with their valid values tells me that:

include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");

loads fine, but:

require_once("../../../../classes/db.inc.php");

does not.

And that is what is odd. All three files are the same "directory traversal" distance away. If a file fails the include() function a warning is thrown but does not stop the code. However, if a file fails the require_once() function, an error is thrown and the program stops (blank page).

Link to comment
Share on other sites

Guest lolichka

print_r() is a PHP function that prints the contents of variables. I wanted to see if the contents of ini.inc.php was getting picked up.

Array ( [ver] => 3.0.20 [CCver] => 30025 [bftime] => 600 [bfattempts] => 5 ) 1 1

CC version is 3.0.20

CC Build version is 30025

BruteForce Time Delay is 600 seconds

BruteForce Attempts is 5

Brute Force is designed to block repeated attempts within seconds of each other to access your site.

One of the 1's is saying that CC is installed and comes from the global.inc.php file.

Having these variables show with their valid values tells me that:

include("../../../../includes/ini.inc.php");

include("../../../../includes/global.inc.php");

loads fine, but:

require_once("../../../../classes/db.inc.php");

does not.

And that is what is odd. All three files are the same "directory traversal" distance away. If a file fails the include() function a warning is thrown but does not stop the code. However, if a file fails the require_once() function, an error is thrown and the program stops (blank page).

Hi Brian,

Thanks so much for the reply. It is appreciated and I completely understood what you are on about. I got a reply from my host - following is their response:

"This limitation is in fact in affect, however it is not an open_basedir limitation. This limitation isn't going to be modified, as that's pretty generous."

... I have paid for 6 months of hosting in advance with a hosting provider that I have been using for years and referred friends to that is useless for me now ... so slightly ticked off.

Do you think there is any value in me going back to my host and providing the above where you have found which files load and which don't and asking what the limitation is?

Thanks

Lol

Link to comment
Share on other sites

Guest lolichka

...well I went back to my host and this is the response I received:

The limitation has already been guessed, it's at 4.

That limitation will stay. If anything it will be reduced, as 4 is far too lenient.

A properly developed app wouldn't even use ../ at all.

(i'd probably be taking offence for his comment "a properly developed app" IMO).... unfortunately this is the mentality of the support person I am dealing with.

I've shown him the findings above and no idea if it's something he can check at a php config level whether there may be something gone askew but have asked him - so lets see what comes out of it. (IMO tho I'm sure he will just state that it's an application problem with cubecart - which doesn't help me nor them as I probably won't be renewing anything with them!)

Cheers,

Lol

...well I went back to my host and this is the response I received:

The limitation has already been guessed, it's at 4.

That limitation will stay. If anything it will be reduced, as 4 is far too lenient.

A properly developed app wouldn't even use ../ at all.

(i'd probably be taking offence for his comment "a properly developed app" IMO).... unfortunately this is the mentality of the support person I am dealing with.

I've shown him the findings above and no idea if it's something he can check at a php config level whether there may be something gone askew but have asked him - so lets see what comes out of it. (IMO tho I'm sure he will just state that it's an application problem with cubecart - which doesn't help me nor them as I probably won't be renewing anything with them!)

Cheers,

Lol

Well I received a response. One that I thought I would:

"We can not assist you with code development. This is the responsibility of your developers. It is on them to debug and test your applications, not on us"

*sigh*

So where to from here??

Cheers,

Lol

Link to comment
Share on other sites

So, if your store was working fine just a couple of days ago, and now we (may) have narrowed it down to a security setting preventing ../../../../require_once() from executing (with no error message on top of all that), I can only surmise that your host implemented this security setting just recently.

As such, I think you have a case for moving your sites (now required) and demanding your money back.

I could suggest that we go through all the code and replace ../../../../ with something less flexible (or more flexible, depending on your point of view) - for example:

require_once($glob['rootRel']."includes/ini.inc.php");

But we won't be able to make these changes to any mods you may acquire.

Be sure to mention the hosting provider as none of us would want to install an improperly developed app unawares and spend days trying to figure out what's wrong (as it's their overly aggressive security protocols with NO error message to give us a clue).

Link to comment
Share on other sites

Guest lolichka

So, if your store was working fine just a couple of days ago, and now we (may) have narrowed it down to a security setting preventing ../../../../require_once() from executing (with no error message on top of all that), I can only surmise that your host implemented this security setting just recently.

As such, I think you have a case for moving your sites (now required) and demanding your money back.

I could suggest that we go through all the code and replace ../../../../ with something less flexible (or more flexible, depending on your point of view) - for example:

require_once($glob['rootRel']."includes/ini.inc.php");

But we won't be able to make these changes to any mods you may acquire.

Be sure to mention the hosting provider as none of us would want to install an improperly developed app unawares and spend days trying to figure out what's wrong (as it's their overly aggressive security protocols with NO error message to give us a clue).

Hi Brian,

You've got my PM and as per that it's still in progress. As for there being an impact on the mods I have or may acquire i've got 7 purchased mods and a myriad of tweaks here and there installed on my main site plus a bunch of new mods just purchased (not yet installed) for a new avenue of income (I hope) I am setting up. So while it would be great in an ideal world to have this all sorted, IMO it all comes down to the host - who as you know and I hope everyone who has read this entire thread can understand ... has not been very helpful, nor forthcoming at all and quite happy to jump at first opportunity stating CubeCart is the problem... when it's NOT IMO!

How life would have been simple if only they were willing to provide PHP logs eh... this may have been sorted days ago, but alas they have refused to provide any valuable assistance other than throwing back at me that cubecart has been the problem.

While I may have to fight them for a refund and while I wait for Fair Trading to get back to me I am happy to name and shame - aussiehost.com.

I've been in the I.T industry across hardware/Web/Software DLC and more so project management delivering infrastructure projects over the last 16 years. I find it quite discusting that their support has taken the opinion that they have about cubecart and treated me how they have given how long I have been with them and folk I have referred to them - I LOVE CUBECART!...

but hey, i'm only a stay at home mum now to x4 gorgeous kids 4 years and under trying to make some extra money to support the famiily... obviously their hosting is no longer a fit with my needs and IMO I don't like how they conduct themselves in business anyway so off I go exploring avenues for a reliable host *sigh*...

Brian, personally thank you so very much for all of your help. You have no idea how much it is appreciated. You have been very thorough and a pleasure to have help from. If ever we head back to the UK (Yorkshire from where hubby is from).... i'lll make sure to drop in with the fam and say Hi and we can all have a beer together LOL...

Thanks again, if anything crops up re this post i'll be sure to mention it. I'm looking forward to their reply from my e-mail LOL

Cheers,

Lol

Link to comment
Share on other sites

On the presumption that this hosting provider has a security device/setting such that:

"The limitation has already been guessed, it's at 4. That limitation will stay. If anything it will be reduced, as 4 is far too lenient. A properly developed app wouldn't even use ../ at all."

Moving to CC4 won't help much, because the rich text editor uses ../../../../../../../, a directory traversal of seven parents. (The file \modules\gateway\WorldPay\return.php has a directory traversal of three parents. This module and one other has three parents in CC5.)

But this is not too bad since, as this appears to be the only spot I could find for long directory traversals, it may be an easy fix.

Link to comment
Share on other sites

Guest lolichka

On the presumption that this hosting provider has a security device/setting such that:

"The limitation has already been guessed, it's at 4. That limitation will stay. If anything it will be reduced, as 4 is far too lenient. A properly developed app wouldn't even use ../ at all."

Moving to CC4 won't help much, because the rich text editor uses ../../../../../../../, a directory traversal of seven parents. (The file \modules\gateway\WorldPay\return.php has a directory traversal of three parents. This module and one other has three parents in CC5.)

But this is not too bad since, as this appears to be the only spot I could find for long directory traversals, it may be an easy fix.

So basically... I either change hosts and stick with CC3 on the provisio that they (new hosting provider) keep their software configuration the same for ever.... highly unlikely... or, I stay with the current hosting schmucks and purchase CC5... dilemas... i'm needing to exhaust this avenue more as all my mods are w/ V3 so need to weigh up the pro's and cons and dollars involved of upgrading now *sigh*...

Thanks for clarifying the traversal pattern... good to note for others too and a GREAT question to ask any future hosts and what their future plans may be with implementation of such...

when you mention "But this is not too bad since, as this appears to be the only spot I could find for long directory traversals, it may be an easy fix", perhaps I may have missed something - is this in relation to CC3, CC4 or CC5???

thanks for the reply, as again... much appreciated :-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...