CMS Made Simple Forums
https://forum.cmsmadesimple.org/

Cannot access upload folders after 2.2.7 update
https://forum.cmsmadesimple.org/viewtopic.php?f=8&t=78341
Page 1 of 1

Author:  sponna1 [ Fri May 04, 2018 10:26 am ]
Post subject:  Cannot access upload folders after 2.2.7 update

Hi,

We have an issue after updating a site to version 2.2.7 whereby in admin we cannot navigate to upload folders which were created previously. The site is effectively "core" with just FEU in place and working. All modules are updated to the latest version.

The site was developed on a test server and then migrated - interestingly both the dev site and the live site show an error but with different error messages:

Dev site error:

Forbidden
You don't have permission to access /cmsmsd/admin/moduleinterface.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Live site error:

Not Found
The requested URL was not found on this server.

Both sites did not have this error before the update to the latest version. We can work around it by uploading files to the top-level upload folder but ideally we need to be able to use the original sub-folders. We have checked with ftp and the original sub-folders and files are in place on the server and the images in there are showing on the front-end. We have also tried clearing the cache, updating routes and the database maintenance functions in admin.

Any ideas where to start looking please as we're stumped at the moment.

Thanks for your help,
Dave

Author:  DIGI3 [ Fri May 04, 2018 4:00 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Any chance mod_security is enabled on the server?

If you can 100% confirm that it's not, then the next step would be to check .htaccess (perhaps temporarily rename it, clear the cache, and check. You'll lose pretty urls of course). Also look for htaccess files in higher directories if the site is in a subfolder.

Author:  sponna1 [ Fri May 04, 2018 4:39 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Thanks for the guidance, I will check and get back to you.

Author:  sponna1 [ Fri May 04, 2018 6:25 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Hi,

We tried eliminating htaccess and pretty urls (config file change) etc and same issue.

However, we've established that the affected sites are on 4 of our reseller servers but not with sites on our cloud servers (different data centre). So we are starting to think server config issues as you suggested. We've submitted support requests and will advise.

Thanks
Dave

Author:  sponna1 [ Fri May 04, 2018 6:51 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave

Author:  master3395 [ Sun May 06, 2018 6:04 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

The issue you're telling us about is resolved from version 1.11.10 and up.

The best suggestion would be to upgrade to 2.0 and then upgrade to 2.2.7
And remember to follow the guide below.

https://docs.cmsmadesimple.org/upgrading/to-cmsms-2.x

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2245

Code:
CVE-2014-2245
Learn more at National Vulnerability Database (NVD)
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20140301 Re: CVE request: CMS Made Simple SQL injection fixed in 1.11.10
URL:http://seclists.org/oss-sec/2014/q1/467
CONFIRM:http://dev.cmsmadesimple.org/project/changelog/4602
BID:65953
URL:http://www.securityfocus.com/bid/65953
SECUNIA:56996
URL:http://secunia.com/advisories/56996


sponna1 wrote:
Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave

Author:  sponna1 [ Sun May 06, 2018 6:23 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Thanks but please see the first line of the first post. We are running the latest version.

Author:  Rolf [ Sun May 06, 2018 6:35 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

2.2.7 > 1.11.10, so you are answering your own question...

Author:  DIGI3 [ Sun May 06, 2018 8:42 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

OP isn't running 1.11.10, that's just the description of the mod_security rule that's being tripped.

You'll probably find 2.x triggers a lot of mod_security rules, and with each new version, you'll find new "broken" things that can be blamed on it. Ideally, your host will let you disable it per domain. Otherwise you're going to have to have an ongoing dialog with them to determine which rule is being triggered every time something doesn't seem to be working properly.

Author:  sponna1 [ Mon May 07, 2018 11:15 am ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Hi and thanks for the various replies.

For clarity, is this a false positive and we can ask our server guys to amend the rule set, or is it a "real" issue please. Why would the current version be triggering this for an issue fixed some while back?

Thanks for your advice,
Dave

Author:  DIGI3 [ Mon May 07, 2018 2:19 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

I'm not sure what you mean by a "real" issue. Regardless though, CMSMS doesn't support mod_security, so if you must keep it active then it sounds like your host will need to either deactivate that rule (and probably others), and/or contact the vendor to have the rules updated.

Author:  sponna1 [ Mon May 07, 2018 5:32 pm ]
Post subject:  Re: Cannot access upload folders after 2.2.7 update

Hi,

I was just trying to establish if there is a security issue or not. Or simply a false positive? I suspect the latter but just a bit worried that the up-to-date version is conflicting with a widely used security tool.

I will ask our hosting team to adjust the rule set for now.

Thamks
Dave

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/