store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 02, 2014 2:42 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: typo3 error
Unread postPosted: Sun Mar 25, 2012 1:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
Hi,

I'm lost and totally frustrated by typo3. and the cusomter as well.
After sending in some false positives and disabling rules temporally typo3 still is not working as excpected.
simple tasks like saving pages and configs do not work.
somehow clamd seems to be blocking.
what i get in debug pf typo3 is:
Error in init.php: Path to TYPO3 main dir could not be resolved correctly.

This happens if the last 6 characters of this path, /usr/bin/ ($temp_path), is NOT "typo3/" for some reason.
You may have a strange server configuration. Or maybe you didn't set constant TYPO3_MOD_PATH in your module?

If you want to debug this issue, please edit typo3/init.php of your TYPO3 source and search for the die() call right after this line (search for this text to find)...

"Array
(
[TYPO3_OS] =>
[PATH_thisScript] => /usr/bin/modsec-clamscan.pl
[php_sapi_name()] => cgi-fcgi
[TYPO3_MOD_PATH] => TYPO3_MOD_PATH
[PATH_TRANSLATED] => /usr/bin/modsec-clamscan.pl
[SCRIPT_FILENAME] => /var/www/vhosts/domain/httpdocs/typo3/alt_doc.php
)
"

error.og but NO ASL Gui entries:
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found) [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Rule processing failed. [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]

Thanks


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Sun Mar 25, 2012 5:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3626
Location: Chantilly, VA
What version of ASL are you running? Please send the output of this command:

asl -v

No idea what this is, its not part of ASL, so I can only assume the typo3 folks told you do this? No idea if its right or wrong, not our stuff.

Quote:
If you want to debug this issue, please edit typo3/init.php of your TYPO3 source and search for the die() call right after this line (search for this text to find)...

"Array
(
[TYPO3_OS] =>
[PATH_thisScript] => /usr/bin/modsec-clamscan.pl
[php_sapi_name()] => cgi-fcgi
[TYPO3_MOD_PATH] => TYPO3_MOD_PATH
[PATH_TRANSLATED] => /usr/bin/modsec-clamscan.pl
[SCRIPT_FILENAME] => /var/www/vhosts/domain/httpdocs/typo3/alt_doc.php
)
"


So are you calling /usr/bin/modsec-clamscan.pl from inside typo3, or are you using ASL to do this?

This error from modsecurity:

Quote:
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found) [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Rule processing failed. [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]


Means that either:

1) clamd is not running
2) it is not running as root
3) it is not listening on a TCP port

Please post the output of these commands:

ps auxwww | grep clamd

netstat -anp | grep clamd

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 4:43 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
thanks Mike.
ASL is the latest:
3.0.21
Quote:
So are you calling /usr/bin/modsec-clamscan.pl from inside typo3, or are you using ASL to do this?


nothing of both. it just happens. It's a standard installation of typo3.


Regarding the modsec entry. Yes you are right. During that time I disabled clamd for a test to see if it's somehow disturbing typo3. It's running correctly as root and listening on the correct port.

but the error stayed the same, even when clamd wasn't running. So it's trying to call it. but that seems strange to me.

I wonder when and how /usr/bin/modsec-clamscan.pl gets called and when and how it's called normally?

Thanks for your help


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 2:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
Hi Mike,

any idea when this perl script would be called normally-and how the procedure runs?
And "why" is it on my box? Well I know why...because it's installed with asl-stream-client.
asl-stream-client-1.0-4.el5.art.x86_64

But I thought you kicked it in 2009?!

Quote:
* Wed Apr 1 2009 Scott R. Shinn <scott@atomicrocketturtle.com> 2.5.9-2
- Deprecated modsec-clamscan.pl


How would you try to track down the culprit?

Thanks for any help.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 3:33 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3626
Location: Chantilly, VA
It shouldnt actually be a perl script, it should just be a symlink to asl-stream-client. Is it a perl script on your system?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 3:37 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
yes it's a perl script with 11800bytes size


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 3:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3626
Location: Chantilly, VA
Are you sure its a perl script and not a binary with the extension .pl?

Whats the output of this command:

file /usr/bin/modsec-clamscan.pl

To answer your other question, file upload scanning is controlled by the MODSEC_99_SCANNER setting in the ASL gui. If you want to disable all malware upload scanning set that to no. However your error means that clamd was either:

1) not running
2) not listen on the correct port or IP address
3) was running as the wrong user (so it couldnt read its signature files)
4) a firewall rule was blocking it or the client from communicating

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 4:20 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
you are right. it's a binary.
since you asked if its a symlink I didnt check if it's a script or binary.
but it's not a symlink.
so what to do here?

your comment regarding the error from modsec
Quote:
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found) [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]
[Sun Mar 25 19:20:39 2012] [error] [client ] ModSecurity: Rule processing failed. [hostname "domain"] [uri "/typo3/alt_doc.php"] [unique_id "efxO7NTj-O4AAAs-tUIAAAAI"]

Yes. The case you describe regarding the clamd with the four options is correct. And it was the case.
I disabled clamd for testing. But that was just for a few seconds to test if it is clamd whos causing some error.
So this modsec error can be ignored. clamd is running correctly.

But the typo3 error still persists. If clamd is running or not.
Now I want to track it down. It's a mistery to me why /usr/bin/modesc-clamav.pl is called.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Mon Mar 26, 2012 6:10 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3626
Location: Chantilly, VA
Quote:
Now I want to track it down. It's a mistery to me why /usr/bin/modesc-clamav.pl is called.


If you have MODSEC_99_SCANNER set to yes, modsecurity will call the scanner (/usr/bin/modesc-clamav.pl) if a file is uploaded. If you have that set to "no", then its not ASL thats calling this. Something else is.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: typo3 error
Unread postPosted: Fri Mar 30, 2012 12:20 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 853
Location: Germany
HI Mike,

thanks or your reply and sorry for the late response.
Of course I have set MODSEC_99_SCANNER to yes. For testing I disabeld it with no change regarding the error.

The root of the error looked pretty typo3 related to me so I digged deeper....and finally found the solution:
In the file init.php located in typo3 folder is a variable called $temp_path.
The code seems to be unable to enumerate the correct path within a php file located in the same folder (like alt_doc.php).
$temp_path = str_replace('\\','/',dirname(PATH_thisScript).'/');

So I changed it to the absolute path like that...and it's working.
$temp_path = "/var/www/vhosts/domain.tld/httpdocs/typo3/";

Bloody hell typo3 :)

Thanks for your help.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group