Cannot access upload folders after 2.2.7 update

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Hi,

We have an issue after updating a site to version 2.2.7 whereby in admin we cannot navigate to upload folders which were created previously. The site is effectively "core" with just FEU in place and working. All modules are updated to the latest version.

The site was developed on a test server and then migrated - interestingly both the dev site and the live site show an error but with different error messages:

Dev site error:

Forbidden
You don't have permission to access /cmsmsd/admin/moduleinterface.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Live site error:

Not Found
The requested URL was not found on this server.

Both sites did not have this error before the update to the latest version. We can work around it by uploading files to the top-level upload folder but ideally we need to be able to use the original sub-folders. We have checked with ftp and the original sub-folders and files are in place on the server and the images in there are showing on the front-end. We have also tried clearing the cache, updating routes and the database maintenance functions in admin.

Any ideas where to start looking please as we're stumped at the moment.

Thanks for your help,
Dave
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Cannot access upload folders after 2.2.7 update

Post by DIGI3 »

Any chance mod_security is enabled on the server?

If you can 100% confirm that it's not, then the next step would be to check .htaccess (perhaps temporarily rename it, clear the cache, and check. You'll lose pretty urls of course). Also look for htaccess files in higher directories if the site is in a subfolder.
Not getting the answer you need? CMSMS support options
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Thanks for the guidance, I will check and get back to you.
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Hi,

We tried eliminating htaccess and pretty urls (config file change) etc and same issue.

However, we've established that the affected sites are on 4 of our reseller servers but not with sites on our cloud servers (different data centre). So we are starting to think server config issues as you suggested. We've submitted support requests and will advise.

Thanks
Dave
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave
User avatar
master3395
Forum Members
Forum Members
Posts: 94
Joined: Mon Mar 30, 2015 7:13 am
Location: Norway

Re: Cannot access upload folders after 2.2.7 update

Post by master3395 »

The issue you're telling us about is resolved from version 1.11.10 and up.

The best suggestion would be to upgrade to 2.0 and then upgrade to 2.2.7
And remember to follow the guide below.

https://docs.cmsmadesimple.org/upgrading/to-cmsms-2.x

https://cve.mitre.org/cgi-bin/cvename.c ... -2014-2245

Code: Select all

CVE-2014-2245
Learn more at National Vulnerability Database (NVD)
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20140301 Re: CVE request: CMS Made Simple SQL injection fixed in 1.11.10
URL:http://seclists.org/oss-sec/2014/q1/467
CONFIRM:http://dev.cmsmadesimple.org/project/changelog/4602
BID:65953
URL:http://www.securityfocus.com/bid/65953
SECUNIA:56996
URL:http://secunia.com/advisories/56996
sponna1 wrote:Hi,

So it does look like a mod_security issue. The logs are below but we have the news modules on the affected sites updated to the latest version:

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)

Our server guys say it could be a false positive but we need to be sure before having any of the rules relaxed.

Thanks for your guidance,
Dave
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Thanks but please see the first line of the first post. We are running the latest version.
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: Cannot access upload folders after 2.2.7 update

Post by Rolf »

2.2.7 > 1.11.10, so you are answering your own question...
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Cannot access upload folders after 2.2.7 update

Post by DIGI3 »

OP isn't running 1.11.10, that's just the description of the mod_security rule that's being tripped.

You'll probably find 2.x triggers a lot of mod_security rules, and with each new version, you'll find new "broken" things that can be blamed on it. Ideally, your host will let you disable it per domain. Otherwise you're going to have to have an ongoing dialog with them to determine which rule is being triggered every time something doesn't seem to be working properly.
Not getting the answer you need? CMSMS support options
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Hi and thanks for the various replies.

For clarity, is this a false positive and we can ask our server guys to amend the rule set, or is it a "real" issue please. Why would the current version be triggering this for an issue fixed some while back?

Thanks for your advice,
Dave
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Cannot access upload folders after 2.2.7 update

Post by DIGI3 »

I'm not sure what you mean by a "real" issue. Regardless though, CMSMS doesn't support mod_security, so if you must keep it active then it sounds like your host will need to either deactivate that rule (and probably others), and/or contact the vendor to have the rules updated.
Not getting the answer you need? CMSMS support options
sponna1
Forum Members
Forum Members
Posts: 43
Joined: Thu Oct 17, 2013 9:25 am

Re: Cannot access upload folders after 2.2.7 update

Post by sponna1 »

Hi,

I was just trying to establish if there is a security issue or not. Or simply a false positive? I suspect the latter but just a bit worried that the up-to-date version is conflicting with a widely used security tool.

I will ask our hosting team to adjust the rule set for now.

Thamks
Dave
Locked

Return to “CMSMS Core”