X3Photo Gallery Forums

i have uploaded a fresh instal of 0.15 and i get exactly the same error message.

what can i do?

David

splitybus wrote:i have uploaded a fresh instal of 0.15 and i get exactly the same error message.

This could also happen if you have some mod_security or Suhosin enabled on server. Can you please send me link and login to your admin panel? Basically this is a response where either the JSON settings output is broken, or your server refuses to save the posted data because it considers it to be a security threat ... most likely the last.

The problem is related to mod_security...

Try going to panel->settings->custom, and removed the contact form widget HTML:

Empty it:

I had another user with mod_security, where removing the html above made it work. For some reason, mod_security is considering certain POST data to be a security threat, incorrectly so. Thus, if you are using mod_secure (which is reporting a false positive on settings-save), it will either need to be configured or disabled, or you won't be able to use the contact-form widget.

Many thanks Karn,
we have also been corresponding via email and as ive said i have done this and it seems to have worked. As i said in email im very much an amateur so please bare with me in the details as it takes me 10 times longer to understand the details!!!

i have emailed you the FTP details to my site, and i am using CPANEL which does have the ability to turn the MOD_SECURITY off. just not sure i should from a security point of view?

Regards

David

splitybus wrote:i have emailed you the FTP details to my site, and i am using CPANEL which does have the ability to turn the MOD_SECURITY off. just not sure i should from a security point of view?

First of all, let me note that this is a bit subjective.

I noticed you were using an old PHP version 5.3, and updating that to a more recent version is in my opinion more important for security than using mod_security. In fact, many of the features in mod_security are in place to "patch" old versions of PHP. Furthermore, the mod_security is mostly aimed at hosting services that have no control of what their users are installing (which in some cases could be malware). If you don't know what apps you are installing on your domain, or don't trust the integrity of the code in X3, then that would be another reason to use mod_security. Mod_security basically protects you against your own installed applications ... It doesn't really add any additional protection from the outside world, as your server should already be capable of blocking external threats.

So basically, I think you should look for a "PHP upgrade" option in your CPANEL. Unless you have multiple dubious PHP applications installed in your server space, I don't think mod_security will provide any added security, and your server will be faster without it. You could also use the Cloudflare service (read more) to add an external firewall before requests even hit your server.

Sorry, don't get me wrong here. I'm not opposed to mod_rewrite ... One can never underestimate the value of added security. I just think that if you upgrade to a new PHP version, and are careful about what PHP applications you install on your server, it simply doesn't provide any benefits.

Conclusion
So I have done some research and concluded the exact issue. First of all, this is related to the mod_security module installed on some servers, and restrictions it is imposing.

The exact issue, is that it blocks POST requests to the server, when there are <input> html tags included in the post. Since this <input> tag is part of the customizable contact-form menu widget, then it is by default including this in the POST also. Since we cannot workaround this false-positive security implementation in mod_security, we can instead "patch" it:

In next release of X3, <input> html is replaced with <xinput>, and then dynamically replaced before it gets rendered on the frontend. This fixes the issue, since mod_security does not block the POST request when there are <xinput> tags.

Why does mod_security block <input> specifically?
I would assume that it considers POSTs with <input> to be a threat, as technically it could contain a method for a hacker to upload malicious files. This is of course not the case with the input fields for the X3 contact form, but mod_security doesn't care about that.

The fix will be implemented in next release.

Karl, again thank you for your help with this and I will have a look at the PHP upgrade from my provider, until then will delete the script.

Edit: having looked it would appear I can select the PHP version within Cpanel. I can select 5.4, 5.5, 5.6 and one called 5.4 (native)?! What would you suggest?

here are the details of my server if it helps?

cPanel Version 11.52.2 (build 5)
Apache Version 2.2.29
PHP Version 5.4.35
MySQL Version 5.6.28
Architecture x86_64
Operating System linux
Perl Version 5.10.1
Kernel Version 2.6.32-531.29.2.lve1.3.11.1.el6.x86_64

Regards

David

I noticed this error message showing when i was "logged out" of the system being inactive for a while, having the settings page open and try to save.
Or it happend when i was looking in an older installation being logged in with a different account on the 2nd test install.

Helped was a refresh and new login on that page and then i could save the settings.

splitybus wrote:Edit: having looked it would appear I can select the PHP version within Cpanel. I can select 5.4, 5.5, 5.6 and one called 5.4 (native)?! What would you suggest?

Just update to the newest version available, which would be 5.6 in your case. Your cpanel having legacy PHP versions available is just to support older PHP applications out there that don't work with new PHP. X3 will always work with latest PHP version, which is currently 7.0 (they skipped 6.0).

Newer versions = more secure, and possibly faster.

splitybus wrote:... PHP Version 5.4.35 ...

I did notice at the time of checking that your X3 was running from a 5.3.x version of PHP.