Can no longer login as admin with newest PHP version
|
Lights
Joined: 2003-06-03
Posts: 35 |
Posted: Tue, 2003-06-03 09:45
|
|
Hi, my ISP upgraded to the newest Suse Security Updates with the newest PHP Version. Now I can no longer login as admin. ---- Operating system: Suse Linux |
|
Posts: 3474
Hi. What error do you get?
If certain functions have been disabled, it's possible you will not be able to run Gallery on this server any more.
-Beckett (
)
Posts: 35
The error is that the page just reloads. I read the FAQ relating this problem, yesterday it worked fine with the same settings, then the admin uploaded the newest PHP-Version with the newest security concept of Suse, now it's no longer running. Is it planned to upgrade Gallery to the newest PHP-Version? As it is our own server, maybe I can ask him to downgrade PHP until you upgraded gallery.
This is the update:
http://www.suse.de/de/private/download/updates/81_i386.html
Posts: 3473
That's not the latest version of PHP, and gallery runs well under 4.3.2.
Two things to try:
Session test in the setup directory.
Are you using the same URL to visit your gallery as you set up in the config wizard. Eg if it says http://www.mydomain.com/gallery in the config wizard, then you can't log in via http://mydomain.com/gallery
Posts: 35
As I said before, I read the FAQ relating this problem and it is the same URL.
Session test does not increase when I reload the page. What could be wrong in the PHP installation?
Posts: 3473
Looks like all the information you need is in the second paragraph of FAQ C.11
[I've never dealt with this, so that's all I can say]
Posts: 3474
Yes... Gallery runs with the latest PHP version, but I'm not familiar with the restrictions the Suse security update places on PHP.
If the session test doesn't work, the first thing to try is FAQ C.9. It's very possible that these values got changed when your host moved to the new version. Can you please post your gallery/setup/phpinfo.php page somewhere for us to see?
-Beckett (
)
Posts: 35
Here it is:
http://www.getrocknete-tomaten.de/gallery/phpinfo.php
Posts: 3474
Okay... your session information all *looks* okay.
I'm confused by one of your Config. Wizard settings though. In Step 2 you have the "expected status" set to 126, but you ought to have this set to 0. (This shouldn't be related to the login problem, however)
Anyone else know what this security patch changes in PHP's session management?
Posts: 35
This is what the suse homepage says about its session update:
Security Update!
Zwei Bugs wurden beseitigt:
(1) Ein Segfault in session_decode()
(2) Vermischung globaler Variablen mit Elementen von $_SESSION in
session_encode(), wenn ein Element in $_SESSION entfernt wurde
(es wurden dabei unregistrierte globale Variablen in das Session
File geschrieben).
I will try to translate it into something similar like English:
Two bugs have been removed:
(1) A Segfault (?) in session_decode()
(2) Mix of global variables with elements from $_Session in session_encode(), if a element of $_Session has been removed.
(There have unregistered global variables been written into the Session file)
I hope my translation was understandable.
Posts: 3474
Actually... here's the English from the SuSE website:
I'm concerned about item (2), as Gallery does something akin to this, for purposes of compatibility with older versions of PHP. I'm going to get the opinion of some of the other Gallery developers, and we'll try and get back to you soon.
-Beckett (
)
Posts: 35
Well, my translation was not far away ;-)
Thank you very much in advance for your help!
Posts: 35
Toni, the admin of our server, mailed an issue to the security mailing list of Suse, and this is the answer relating Gallery and the new fix:
On Jun 3, Toni Zeitler <zeitler@informatik.uni-muenchen.de> wrote:
> The new security-fixed PHP version 4.2.2-215 seems not to work properly any
> more.
I have also seen this behaviour with gallery. It worked before and was
'suddenly' broken. Unfortunately, fou4s wasn't writing logfiles about
updates at that time so I could narrow it down more precisely.
I think you are talking about SuSE 8.1, aren't you?
The session test of gallery uses other constructs though. It makes
references to variables in the HTTP_SESSION_VARS array (or whatever it
is called). If I update HTTP_SESSION_VARS directly (no references),
sessions work. Nevertheless it is strange, because I know that this worked.
Markus
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
Regards, Phil.
Posts: 35
Not even the simpliest session script is running under this security-fix:
<?php
session_start();
print($counter);
$counter++;
session_register("counter");
?>
So it is in all probability a bug of Suse. Meanwhile, the admin Toni has downgraded PHP, so Gallery is running again.
Posts: 3474
Here's a question for you. In a week or two, we're going to apply a rather large patch from Bob Vincent which might very well eliminate this problem, but I'm not positive. Would one of you be willing to try applying it to help us sort this out?
The patch is available on this SourceForge page. The patch file is the topmost of the three files.
-Beckett (
)
Posts: 35
I would like to, but we uninstalled this update already, because I really had to add pictures. And it was necessary that the admin compeletely reinstalls PHP to get rid of this buggy update, so it was a little complicated and a lot of work. I don't want to ask him to do that again to do an experiment, expecially because it is most likely a bug in the update, not in your gallery. As I wrote above, no sessions are working any more. Sorry that I can't help you with it.
Why don't you just install the update on your private linux machine or on your own webserver and try it out?
Best regards,
Phil.
Posts: 3473
Phil,
Sounds like you are not a position to set up a test environment for us. Thanks for a heads-up on the problem.
Whether we can test it depends on one of us having a SuSE installation. I'd guess most home users have Redhat. Any SuSE users want to help with testing?
Posts: 33
I'm running SUSE 8.1 and the PHP patch screwed up my PostNuke and Gallery functioning. I have fixed PN problems and was getting ready to either downgrade or upgrade php but will be happy to test before doing so.
My issues are a little different. When I try to move, upload, add or otherwise change any photos or albums I get errors similar to:
you can just change the ..../edit_caption.php and on line 42 to whatever function I'm trying to perform.
I'm running Suse 8.1, Apache 1.3.26, PHP 4.2.2. and Gallery v1.3.4-RC1. I'm not sure my issues qualify for your test, but I'll be willing to try. Just let me know what to do, in the meantime I'll backup my gallery install.
Posts: 3474
Hi malthazor.
Basically, what we'd love to see for this specific test is for you to patch your gallery with the patch I mentioned on Page 1 of this thread. That patch was generated against Gallery v1.3.4-cvs-b27 (set the date to May 16, 2003 to get the correct version), which is a little older, but would still tell us whether it will solve the problem.
All we want to know is whether the session problems disappear... but since you weren't reporting login problems, perhaps you weren't affected by this. If you're not able to grab that older version of Gallery from CVS, I will make a Gallery tarball and apply the patch later this evening for you to test.
Thanks,
-Beckett (
)
Gallery v.1.x Team Lead
Posts: 33
I'll give it a shot. I'm not too familar with cvs, I've used it to play with G2, but just type in exactly what the download page told me too
I tested my gallery (bypassing postnuke) and have the very same login problems originally described. It's funny that it will log me in OK with going through pn.
Posts: 33
Ok managed to get the cvs by setting the date and am in the process of applying the patch. Forgive my ignorance, but is there an easier way to apply patches other than cut and paste to each file?
Posts: 3473
Yes! Have a look at the instructions (first draft) in the user guide.
ask more questions if you need to.
Posts: 33
I managed to get the patch applied (thanks joan). I think the cvs version from 5-16-2003 is a hair different than what the patch expected. I had to edit the "login.php" patch by hand. I also did block #4 of "init.php" and block #6 of "util.php" by hand. Otherwise the patch command saved me a lot of time.
Results
Accessing gallery directly (bypassing postnuke) all login issues are gone. I could also move, delete and etc. Appears to be working like a charm.
Accessing gallery inside postnuke the following error is displayed at the top of the page under "Gallery" and below every nested album and photo:
When I try to move, delete and etc I get an error stating: "Sorry you can't access that file directly".
Lines 756-791 of my util.php file reads:
The patch for that area says:
Any help with that error would be greatly appreciated.
Posts: 3473
I don't know much about PN/Nuke. It might be worth trying in that forum first.
Posts: 33
I searched their forums and didn't find much help. I'll try to research a litlle later. In the mean time I just commented out that portion of the patch to util.php and put the pre-patch line back in. Gallery is happy and PN is happy.
Basically the result of my test = patch fixes session issues related to SUSE's PHP 4.2.2 update.
Thanks guys. Hope this helps you a little.
Posts: 3474
*GREAT*
This is exactly what I wanted to hear.
I'm going to try and get this all into Gallery this weekend if possible.
Thanks for the test, malthazor!!
-Beckett (
)
Posts: 3474
Hi folks. I've posted an initial version of Gallery patched to work (*hopefully*) with the SuSE security patch in PHP, as well as with register_globals off.
This is a "quick and dirty" patch, against 1.3.5-cvs-b22, and seems to run fine, but you might encounter some problems.
Seems the "exec status" value in the Config. Wizard needs to be manually entered. I haven't had time to work out what's wrong with that yet. Also, since warnings are turned all the way up, you might encounter the occasional PHP notice or warning. I'd appreciate if you can test this out and report any problems you find. Thanks!
Visit this page for the download:
http://www.beckettmw.com/downloads
Grab this file:
gallery-1.3.5-cvs-b22-session_patch.tar.gz
-Beckett (
)
Posts: 7
good news and bad news:
The good news is: The session test does work correct now, i.e. it increments when reloading the test page.
The bad news: the gallery does not work anymore, it throws out lots of errors+warnings, like:
and many more :-?
e.g. this happens when I try to delete an album:
Notice: Undefined variable: confirm in /srv/www/htdocs/postnuke/html/modules/gallery/delete_album.php on line 40 Delete Album Do you really want to delete this album? Untitled Warning: REG_BADRPT in /srv/www/htdocs/postnuke/html/modules/gallery/util.php on line 790Posts: 1
I would prefer a quick & dirty patch for the currentlc stable release 1.3.4 isntead of the cvs version I think no one except the developers is using :wink:
Posts: 4
I have a comment on the PostNuke/PHPNuke thing. The deal there is that no session variables or cookies are created. PHPNuke passes the login straight to the script, without any variables. But you will probably notice that you cannot do anything from there because of the fact that you have no login session. I don't really know even why it would pass a login and password to a script. Seems kind of holish to me... But I'm just a PHP newb who's using someone elses script instead of making his own (actually I did but it wasn't nearly as good and I lost it).
Posts: 3474
D'oh! My fault. Edit init.php and change this line (line 38 in the version I posted, I believe) from:
error_reporting(E_ALL);
to:
error_reporting(E_ALL & ~E_NOTICE);
The version I patched against (1.3.5-cvs-b22) is pretty rock solid, IMHO. If you're really in need of a patch against 1.3.4 final release, e-mail me and I'll see what I can do.
iamnafets: I'm not sure I understand your comment. Examples? How does this relate to the SuSE security patch issue?
-Beckett (
)
Posts: 7
Ok, the warnings are gone, but nevertheless it doesn't work correctly:
e.g. trying to delete an album results in:
and then
Sorry, you can't access this file directly...Furthermore, all images are broken.
And if I want to upload pictures, the window "Uploading pic, please wait" pops up and then nothing happens (I waited 5 minutes for one 5k gif to finish).
:cry:
PS: The REG_BADRPT-Warning is thrown on nearly every page...
Posts: 3474
Hmm. The "REG_BADRPT" error comes up from the split() function in the form generating code.
I've tested this all on my computer (not running SuSE) and had no issues. Any chance I can ssh into your box and poke around? I'd want to create a test gallery, I suppose. If that's okay, send me an email with the details and I'll get on it soon. I'm also busy trying to get the patch into the Gallery codebase...
-Beckett (
)
Posts: 3474
Hi Patrick2.
Sorry... I couldn't get around to your site until this evening.
Hrm. This is actually just a silly error. That line is correct in current Gallery code, but for some reason there was an error in the version I posted. I just changed the following line (util.php, line 790) from:
list($target, $tmp) = split('?', $url);
to:
list($target, $tmp) = split('\?', $url);
(Actually we should be using explode() there instead of split(), but that's a separate issue!)
Well, I took a look at your Albums URL in your config.php and it's incorrect. You should change it from:
http://www.metzelkueche.de/albums
to
http://www.metzelkueche.de/graphics/albums
So try both of those, and we'll see how we're doing. I'm going to add that first change into the version I've posted right now. If you're still having errors, let me know. I successfully installed (then removed) a new test gallery on your site with no problems, so hopefully it will work for you too.
-Beckett (
)
Posts: 7
I am running Suse 8.1 with the new security patch installed and I experience the same problem of logging in as admin with no neffect. I am using the latest cvs version of gallery and read through this thre, but I am not sure that I can fix the problem now. Did You solve the Suse security fix sessions issues now? What changes will all the Suse users have to apply to get the gallery running? I appreciate Your support, as I am delighted by the gallery script, but do not want to roll back the sexcurity fix. Please help me on that one,
thanks a lot!
Posts: 3474
Hi Skudder.
Right now, even the latest CVS version of Gallery (as of when I'm writing this) does not have the fixes that will make Gallery work with the security patch. We expect to have it committed to CVS by Saturday morning. Given that SourceForge's CVS server is currently lagging behind by about a day
, it will probably not be available to the public until Sunday. (We're ironing out some small last minute issues).
However, the version I mentioned up above does have this fix, and should work for now (it's patched against 1.3.5-cvs-b22). When we commit to CVS, you can then upgrade again:
-Beckett (
)
Posts: 3474
Sometimes I speak too soon.
While this is now working on SuSE in standalone mode, we're having major issues writing to the session when embedded in PostNuke. I'm imagining PHP-Nuke effects are similar. We're trying to resolve these at the moment... but it will push back the time we commit to CVS. If it drags out for a long time, I will be sure to make available some patches that work in standalone that are more up-to-date with the current CVS.
We're working hard on this, but have yet to work out a solution. If any of you have thoughts, or are willing to investigate alongside, any assistance or input would be appreciated!
-Beckett (
)
Posts: 33
Beckett,
I had many problems with PN after applying the original test patch. I haven't had time to review this latest. However, I had to restore several of the original (unpatched) lines in the util.php and everything worked great. Could it be the same issue?
Posts: 3474
Really? Cool... you might be able to save me hours of headscratching. Can you tell me, rather specifically, what you had to restore? (And maybe the thought process that got you to that point as well?)
-Beckett (
)
Posts: 33
The thought process only came from the error messages. I got errors telling me a line number in util.php. I compared the unpatched to the patch version and decided what the heck, let's restore that section back to normal and see what happens
it worked for me.
I grabbed your new util.php just to see the code. I see where you applied the patch as I did and everyones getting similar errors. So in your util.php lines 787-796 it says:
Here is my version with the commented out portion still showing.
Maybe someone could test by commenting out and replacing basically 1 line. I just got back from a trip and will try this weekend, but not sure if I will have time.
Hope this helps.
PS - I just looked and am wondering where the line reading
It look like a double quote when posted here, but actually it's two single quotes. I don't see the open/close for that extra ' . Could it be that simple?
Posts: 3474
Ahh right. That's that fix. I thought maybe you had some insight on getting it running embedded inside PostNuke. Is your patched gallery running in PostNuke with the SuSE security patch?? If so, I'd be very very interested in taking a close look.
-Beckett (
)
Posts: 33
Yea I'm running through postnuke and all seems to be fine (remember I'm not using your latest code, just the downloaded cvs +patch I commented on earlier in the thread).
You're welcome to take a look. What do you want to see? Just a url with an account to access gallery (non registered users can't see the links) or temp ssh access?
BTW -- did you see my PS on the post above?
Posts: 1
Hi,
I'm glad I found this topic. Cuz I just installed Gallery 1.3.4 (as a module for postnuke) and noticed, that I also can't login to the gallery. When I click on "Login", the login windows pops-up, but when I insert my datas, the main gallery window only reloads, without letting me log-in. The pageviews in the Gallery Session Test doesn't increase when reloading the page. Like most of the other users here, I'm using SuSE 8.1 with PHP 4.2.2 and (I guess) with the latest security updates.
I'm a littlebit confused what to do right now, since a couple of problems where discussed parallel here (IMHO). Is the best way to do right now to just wait until some working patches are released?
Thanks in advance.
Posts: 3473
That's the only answer. Beckett is working hard on the gallery/PN/SuSE problem, and is confidant of finding an answer, but I believe there is no solution yet.
Hold tight.
Posts: 1
Hello all,
I got a similar problem during these weeks,
the sympton is I can't login sometimes and
succeed finally after several trials.
Another one is it will "automatically" logout
after I do any kind of instruction(such as
[add photos], [move albums], etc.).
Any advice would be appreciated.
My environment running Gallery:
OS: FreeBSD 4.8-Stable
PHP: 4.3.3RC1
Apache:1.3.27
Web browser: Konqueror 3.1.2
Gallery:1.3.4
my galley page: http://www.liga.idv.tw/gallery
Liga
Posts: 33
For all the SUSE users I caught this only today on YAST update:
Has anyone installed this update? Did it fix your gallery problems?
Posts: 8194
Sounds interesting. I'd like to know if it fixed the issues...
Posts: 33
I would too. My gallery was patched and is working fine. In order to see if the fix works, I'd have to apply the SUSE PHP update and download the latest version of gallery.
I may adventure to do that tomorrow, but was hoping someone who's gallery was still broken could just try the PHP update first
Posts: 1
SuSE 8.1 user here... After updated PHP weeks ago, gallery seemed to be broken so I rolled back on the security patch for PHP to keep gallery happy. I just updated PHP after seeing malthazor post and as far as I can tell, gallery is still happy. And I am happy.
Posts: 7
Yes!
It does work!
Just installed the above mentioned Suse mod_php updates dated 27 Jun 2003 and Gallery 1.3.4 works again!!!
Beckett's patched 1.3.5-Version didn't work though.
But finally my gallery is working again!
8)