Forums

Hi all. Joomla 1.5.25 Chronoforms_V4_RC3.5.1_J1.5, when i click form wizard.. i see Fatal error: SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration in /administrator/components/com_chronoforms/views/form_wizard.php(207) : regexp code on line 207

Mootools upgrade ON


Any ideas?

Thx.

Hi Kukkk,

Ths simple answer is to disable this Suhosin rule until Max has modified the code in a future release. We have seen this message once before but at the moment I can't find the post - it may have been in an email inquiry.

Bob

How to disable Suhosin rule?)

Hi Kukkk,

Please check with your web host, this is a part of your web server set up.

Bob

Thx. I fixed its.🙂

Hi Bob and Kukkk,
Just to let you know, I have this problem too.

disabling the e/modifier on suhosin is crucial. else, i get attacks...
i have many sites with CF on that server, most have no other plugin or component, joomla is up-to-date and and every few days one of them is hacked.

Put me in the waiting list for this preg_replace SUHOSIN related code fix

thanks

Hi zest96,

It's pretty unlikely that this is the cause of your sites getting hacked as it only arises in the site admin. You do, of course, carefully validate and sanitize all of the data submitted through your forms?

Bob

Hi zest,

Are you sure that non of the component directories are writable by public ? because what the /e does is that it evaluates the code, I can replace it with something else but that wouldn't solve the problem if somebody can add bad files to the any of your directories or edit the existing ones.

And as Bob has already noted this code is only executed in admin area, so its supposed that only authenticated users run it, but they can run bad code if the directories are open, maybe you can add .htaccess password to the administrator folder or simply ensure all directories are 644

Regards,
Max

I would suggest not using the /e option in preg_replace, as a lot of hosting companies are moving to disable it (esp. on cPanel hosting). I definitely would suggest replacing it with a preg_replace_callback, example:

(taken from components/com_chronoforms/libraries/chronoform.php (on line 410), it's also located in multiple lines within the admin area)

Old Code:

$class = preg_replace('/(?:^|_)(.?)/e', "strtoupper('$1')", $class);
return $class;

New Code:

return preg_replace_callback('/(?:^|_)(.?)/i',create_function('$matches','return strtoupper($matches[1]);'),$class);

It's too easy these days especially for all the "script kiddies" out there to run an eval from within preg_replace (w/ the /e option) and it's a pretty well known exploit, so I wouldn't recommend using it in code. I would definitely urge your developers to fix this.

Hi hlwTampa,

Thanks for posting about this, the /e modifier is deprecated in PHP 5.5, and this function doesn't exist in Chronoforms V5, but there is no security issue here since the regex is not applied to any data provided by the user.

I will try to have this fix included in future versions of V4

Regards,
Max