Forums

=============================================================

=============================================================
Hello to everyone,
when I try to modify an existing form I recieve this error (see image) everytime.

I use
- joomla 1.5.22
- PHP 5.2.16
- Chronoforms 3.2.0
- Chronoconnectivity V2 RC3

Any suggestions?
Permission on some files on the website directory?
Some bugs?
Some errors of mine?
Please help!

Hi giamas,

Please check this thread where there are various suggestions for similar problems.

You might also try editing the ChronoForms files to replace index2.php with index.php (this shouldn't be needed but I recall someone saying that it helped them).

Bob

You might also try editing the ChronoForms files to replace index2.php with index.php (this shouldn't be needed but I recall someone saying that it helped them).

Bob

Where exactly.. sorry but I need a clear and simple help becuase I'm a newbie for that!
ciao

No further suggestions???
Please help me!

Hi giamas,

I'm sorry, I've linked you to most of the help that is available on this issue. It's a fairly rare problem and is, I think, one that has more to do with how your site is set up than with ChronoForms.

The files to edit would be those in administrator/components/com_chronocontact - a simple search and replace should find them all. I think that most of the 'index2.php references are in these two files:

administrator\components\com_chronocontact\admin.chronocontact.php
administrator\components\com_chronocontact\admin.chronocontact.html.php

Bob

Ok, thanks for your answer.
Unfortunately the server administrator says to me that it would something related with modsecurity rules. The ChronoForms component violates these rules so the firewall stops it.
Is it something that sounds plausible?
Any hacks or modifications of ChronoForms 1.4.3 RC2 avaiable for that issue?
Please help me!

Hi giamas,

Can your admin give us any clue which modsecurity rule is being broken? Then it might be possible to find a workaround. As far as I know ChronoForms works on on most servers, including those with modsecurity enabled - but the configuration on your site might be a bit tighter.

Bob

hello Bob,
http://alfieriinforma.it/modsecurity_debug.doc

here you'll find the entire debug file from Modsecurity recorded for the error.
I'm not a specialist on that.. and you?
Would you be able to help me?
Thanks a lot!
Ciao

Giampaolo (giamas)

Hi Giampaolo,

I know next to nothing about modsecurity I'm afraid.

I looked at the file and I can tell you that the first part is a url_encoded string that is the form data that ChronoForms creates and saves from the Wizard.

The next past appears to the the main error message:

--14dfb831-H--
Message: Access denied with code 403 (phase 2). Match of "rx (/\\?q=node/[0-9]+/edit$)" against "REQUEST_URI" required. [file "/etc/modsecurity2/asl/10_asl_rules.conf"] [line "781"] [id "380018"] [rev "6"] [msg "Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt"] [data "set\x22"] [severity "CRITICAL"]
Apache-Error: [file "core.c"] [line 3650] [level 3] File does not exist: /home/alfierii/domains/example.it/public_html/403.shtml, referer: http://www.example.it/administrator/index2.php?option=com_chronocontact
Action: Intercepted (phase 2)
Apache-Handler: x-httpd-php5
Stopwatch: 1294328428955060 464585 (430720* 463830 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/1.6.0.
Server: Apache/2

I Googled around a bit and the line 781 reference seems to come from this part of the rule set

#code injection attempt
SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "< ?[?%] ?php" \
"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_2
SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/*|!ARGS:filecontent "(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzencode|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|str_rot13|php_uname|file_get_contents|include|require|require_once|parse_ini_file|set|shell_exec|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|preg_\w+|execute)\s*[\"\(@]" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,capture,auditlog,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Potentially malicious PHP code injection attempt',id:380018,rev:7,logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_URI "!(/\?q=node/[0-9]+/edit$)"
SecMarker END_PHP_CODE_INJECTION_ATTACKS_2

but I can't see how it's triggered from the previous string :-(

As a workaround I can only suggest that you could create the forms using the Wizard on a local version of Joomla! without this modsecurity setuo and then copy them over to the live site using the backup and restore icons. Not ideal but I don't' know what else to suggest.

Bob