• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 
Author Message
 Post subject: Cannot access upload folders after 2.2.7 update
PostPosted: Fri May 04, 2018 10:26 am 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Hi,

We have an issue after updating a site to version 2.2.7 whereby in admin we cannot navigate to upload folders which were created previously. The site is effectively "core" with just FEU in place and working. All modules are updated to the latest version.

The site was developed on a test server and then migrated - interestingly both the dev site and the live site show an error but with different error messages:

Dev site error:

Forbidden
You don't have permission to access /cmsmsd/admin/moduleinterface.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Live site error:

Not Found
The requested URL was not found on this server.

Both sites did not have this error before the update to the latest version. We can work around it by uploading files to the top-level upload folder but ideally we need to be able to use the original sub-folders. We have checked with ftp and the original sub-folders and files are in place on the server and the images in there are showing on the front-end. We have also tried clearing the cache, updating routes and the database maintenance functions in admin.

Any ideas where to start looking please as we're stumped at the moment.

Thanks for your help,
Dave


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Fri May 04, 2018 4:00 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Feb 25, 2009 4:25 am
Posts: 740
Location: Victoria, BC
Any chance mod_security is enabled on the server?

If you can 100% confirm that it's not, then the next step would be to check .htaccess (perhaps temporarily rename it, clear the cache, and check. You'll lose pretty urls of course). Also look for htaccess files in higher directories if the site is in a subfolder.

_________________
Not getting the answer you need? CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Fri May 04, 2018 4:39 pm 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Thanks for the guidance, I will check and get back to you.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Fri May 04, 2018 6:25 pm 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Hi,

We tried eliminating htaccess and pretty urls (config file change) etc and same issue.

However, we've established that the affected sites are on 4 of our reseller servers but not with sites on our cloud servers (different data centre). So we are starting to think server config issues as you suggested. We've submitted support requests and will advise.

Thanks
Dave


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Fri May 04, 2018 6:51 pm 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Sun May 06, 2018 6:04 pm 
Offline
Forum Members
Forum Members
User avatar

Joined: Mon Mar 30, 2015 7:13 am
Posts: 77
Location: Norway
The issue you're telling us about is resolved from version 1.11.10 and up.

The best suggestion would be to upgrade to 2.0 and then upgrade to 2.2.7
And remember to follow the guide below.

https://docs.cmsmadesimple.org/upgrading/to-cmsms-2.x

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2245

Code:
CVE-2014-2245
Learn more at National Vulnerability Database (NVD)
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20140301 Re: CVE request: CMS Made Simple SQL injection fixed in 1.11.10
URL:http://seclists.org/oss-sec/2014/q1/467
CONFIRM:http://dev.cmsmadesimple.org/project/changelog/4602
BID:65953
URL:http://www.securityfocus.com/bid/65953
SECUNIA:56996
URL:http://secunia.com/advisories/56996


sponna1 wrote:
Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave

_________________
Image

My Projects Page
CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Sun May 06, 2018 6:23 pm 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Thanks but please see the first line of the first post. We are running the latest version.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Sun May 06, 2018 6:35 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Apr 23, 2008 7:53 am
Posts: 7657
Location: The Netherlands
2.2.7 > 1.11.10, so you are answering your own question...

_________________
Image

Did my post help you solving a problem at your (customers) website and it saved you many hours of work? Great!! Consider buying me a cup of coffee in return!



Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Sun May 06, 2018 8:42 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Feb 25, 2009 4:25 am
Posts: 740
Location: Victoria, BC
OP isn't running 1.11.10, that's just the description of the mod_security rule that's being tripped.

You'll probably find 2.x triggers a lot of mod_security rules, and with each new version, you'll find new "broken" things that can be blamed on it. Ideally, your host will let you disable it per domain. Otherwise you're going to have to have an ongoing dialog with them to determine which rule is being triggered every time something doesn't seem to be working properly.

_________________
Not getting the answer you need? CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Mon May 07, 2018 11:15 am 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Hi and thanks for the various replies.

For clarity, is this a false positive and we can ask our server guys to amend the rule set, or is it a "real" issue please. Why would the current version be triggering this for an issue fixed some while back?

Thanks for your advice,
Dave


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Mon May 07, 2018 2:19 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Wed Feb 25, 2009 4:25 am
Posts: 740
Location: Victoria, BC
I'm not sure what you mean by a "real" issue. Regardless though, CMSMS doesn't support mod_security, so if you must keep it active then it sounds like your host will need to either deactivate that rule (and probably others), and/or contact the vendor to have the rules updated.

_________________
Not getting the answer you need? CMSMS support options


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cannot access upload folders after 2.2.7 update
PostPosted: Mon May 07, 2018 5:32 pm 
Offline
Forum Members
Forum Members

Joined: Thu Oct 17, 2013 9:25 am
Posts: 38
Hi,

I was just trying to establish if there is a security issue or not. Or simply a false positive? I suspect the latter but just a bit worried that the up-to-date version is conflicting with a widely used security tool.

I will ask our hosting team to adjust the rule set for now.

Thamks
Dave


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Hosting Nation - Managed CMSMS Hosting