Support

Akeeba Backup for Joomla!

#14326 Component Parameters Box - Save causes Internal Server Error

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Tuesday, 11 December 2012 09:25 CST

Grattan

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Can't find related articles.
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.8)
PHP version: (5.3.17)
MySQL version: (5.1.63)
Host: (LiquidHost & Localhost)
Akeeba Backup version: (3.6.10Pro)

EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.

Description of my issue:

I've just purchased an Akeeba Backup Pro subscription and I've installed the Admin tools successfully, but the Akeeba backup will not let me Save the Component Parameters/Akeeba Backup Parameters, so I can't save my Download ID.

From the cPanel error log I get:

[Sat Dec 08 17:02:32 2012] [error] [client 207.161.222.166] File does not exist: /home/carladyu/public_html/500.shtml, referer: http://www.carladypro.org/administrator/index.php?option=com_config&view=component&component=com_akeeba&path=&tmpl=component

I was looking forward to using the Akeeba Pro and Tools, but I'm having second thoughts.  Is this a simple a problem to fix?

Any help will be much appreciated.

- Jeremy

 

nicholas
Akeeba Staff
Manager

The component Options in all of our software is handled in the standard Joomla! way. We provision an XML file and we are using Joomla!'s API to render the Options button. Clicking on that button calls a core Joomla! component called com_config. This is the component which is responsible for handling both the site's Global Configuration and third party components' configuration Options.

Unfortunately, the issue you have is with com_config, a core Joomla! component, not my code. I have no say on the inner workings of com_config and I can't help you with that. I am pretty sure that if you try more third party extensions you will see that you can save the configuration in neither of them. Can you please check that?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Grattan

Hi Nicholas,

Okay, I have Fabrik installed and tried the options - configuration box on there and it can be changed and saved successfully.  The box even looks similar to the Akeeba box (.png shot attached.)

I haven't done anything to mess with Joomla core files other than some backing up and restoring while developing the site.  What's more, the exact same feature works for your Admin Tools which I installed just before Akeeba Backup Pro.

Any thoughts?  Even if you can just point me in the right direction, I'll follow up - I just don't know how to fix it or what to look for.

- Jeremy

nicholas
Akeeba Staff
Manager

Well, I have an idea to help you. The error you get means that most likely you have a PHP fatal error when you try saving the configuration. Let's try diagnosing it. The idea is that a white page or a page with a 500 Internal Server Error is, in fact, either a .htaccess issue to a PHP fatal error in disguise.

First, let's see if it is a .htaccess issue. Try renaming the .htaccess file in your site's root to htaccess.bak If there is a .htaccess file in the site's administrator directory, try renaming it as well. If that solves the problem, the issue was with a directive in your .htaccess file. We'd like to recommend you to try removing directives from your .htaccess until you find the one which causes the problem.

If that doesn't help, the error you are receiving is in fact a PHP error in disguise. First, check your server's error logs (not the access logs) immediately after visiting the page which throws the error. There should be an exact description of the PHP fatal error which occurred, right before the log line you pasted earlier.

If there's no such thing, please log in to your site's back-end, go to Global Configuration, click on the Server tab and set the Error Reporting to Maximum (Joomla! 1.5) or Development (Joomla! 2.x and later). Try visiting the problem page again. You should see the error message.

If you still get a blank page, edit your configuration.php file and put the following code right after the final closing curly brace ( this is what a curly brace looks like --> } ) but before the closing PHP tag (it looks like ?> that is a question mark and a greater-than sign):

ini_set( 'display_errors', true );
error_reporting( E_ALL ); 

Try visiting the problem page again.

If you still get a white page, please remote the two lines from your configuration.php file. Edit the .htaccess file in your site's root. If you don't have a file named .htaccess create a new one. Beware that htaccess.txt is a DIFFERENT FILE and will NOT work! Add the following to the end of the file:

php_flag display_errors On
php_value error_reporting 32767

and retry loading the problem page.

If you still get a white page, remove the two lines from your .htaccess file. Now, create a file called php.ini with the following content:

display_errors=on
error_reporting=E_ALL

and upload it into your site's root and your site's administrator directory. Retry loading the problem page.

If you still get a white page, delete the php.ini files your created and post back here.

Please note that if you can not understand what the PHP error message means, just copy and paste it here verbatim so that we can take a look and point you to the right direction.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Grattan

I couldn't see any php errors using the methods you described (I think because the error is occuring in the pop up box rather than on the page load.)

I contacted the site host and was able to get an error log entry off the server by SSH connection:

[Mon Dec 10 11:24:40 2012] [error] [client 207.161.222.166] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:jform[liveupdate].[file "/usr/local/apache/conf/modsec2.user.conf"] [line "352"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.caladypro.org"] [uri "/administrator/index.php] [unique_id "UMYMyEPh-8gADUXhz7gAAAEI"]
[Mon Dec 10 11:24:40 2012] [error] [client 207.161.222.166] File does not exist: /home/carladyu/public_html/500.shtml, referer: http://www.carladypro.org/administrator/index.php?option=com_config&view=component&component=com_akeeba&path=&tmpl=component

This doesn't mean anything to me, but I'm hoping you'll know something more.

Thanks in advance,

- Jeremy

 

nicholas
Akeeba Staff
Manager

I couldn't see any php errors using the methods you described (I think because the error is occuring in the pop up box rather than on the page load.)

I wouldn't consider that the reason :) The popup is simply a big div with the semi-transparent gray area and an iframe which loads com_config inside it. You should be able to see the error messages.

I contacted the site host and was able to get an error log entry off the server by SSH connection:

This doesn't mean anything to me, but I'm hoping you'll know something more.

This actually means a lot to me! First, it tells us the culrpit: 

ModSecurity: Access denied with code 500 (phase 2)

Ask your host to disable the following mod_security rule for your site:

((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)

This rule is throwing a false positive. Your server believes that trying to save the component's configuration is a SQL Injection attack:

[msg "Generic SQL injection protection"

It's not. The request is completely benign.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Grattan

I'm so glad we (well really, YOU) found the problem.  Thanks so much.

I'm just concerned about disabling a security feature on my website.  Wouldn't this leave the site vulneralbe to the type of attack it's intended to protect from?

Is there an alternative or is this security feature redundent or something?

 

- Jeremy

nicholas
Akeeba Staff
Manager

You're welcome :)

The rule in question is way too generic and will throw a lot of false positives. If you want to see what a good regex for SQL injections looks like you can see my 1Kb beast of a regular expression, used in Admin Tools Professional. So, you are removing something which may stop a simple SQL injection but will definitely block a lot of legitimate requests. At the same time you have a Joomla! plugin (Admin Tools Professional) which is more effective in stopping this kind of attacks with less false positives. There will be no net change in your Joomla! site's security.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Grattan

Thanks a bunch Nicholas,

The server support guys wouldn't disable the mod_security rule for my site, but they managed (after multiple tries) to put the page on a whitelist.  It's working now.  Given your description above, it sounds like it would've been better if they'd just disabled it.

Anyway, I'm happy with the solution - everything is working as it should.

Thanks for the great support!  (And mostly over the weekend, which I appreciate more than you can know.)

You can close this ticket.

Cheers,

Jeremy

nicholas
Akeeba Staff
Manager

Hi Jeremy,

You're welcome!

I understand why they wouldn't disable it. On a shared server every change in mod_security settings affects all sites on the server, not just yours. The whitelist is a good compromise. Good thinking on their part :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!