News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Red Hat / Suhosin / Session problems / Guest access

Started by Martin X. Moleski, SJ, July 23, 2015, 10:22:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Martin X. Moleski, SJ

July 23, 2015, 10:22:10 AM
The Question

What difference does turning Guest Access off make to the security scheme for the Administration area?

The Problem

I am having problems with session cookies when a Forum is configured not to allow guests to view the material on the Forum.


Clues:

"You are unable to connect to simplemachines.org's latest news file."

"Session verification failed"

Problems with login in Administration functions

"Your session timed out while posting. Please go back and try again."

Logout: "Session verification failed. Please try logging out and back in again, and then try again."

The logs have never reported any useful errors.

Sometimes can, sometimes can't log out.

The Infallible Trigger

If I turn Features and Options / General / Allow guests to browse the Forum on, I have no trouble with getting update information in Admin / Main / Administration Center.

If I turn guest access off, I cannot get "You are unable to connect to simplemachines.org's latest news file" and do not have any other session problems.

The change is instantaneous and utterly reliable.

I can go back and forth as much as I want.

Proof that it is a Red Hat, Suhosin, server-side configuration issue.

I can duplicate the problem at will with 2.0.10 and 2.1.beta2 on the Red Hat server with Suhosin. 

I cannot duplicate the problem on a Centos server without Suhosin.

Same ISP for both: Rackspace.

Context:

- brand new installation
- no mods
- no change in default settings except to disallow guest access

PHP Version 5.3.29
Linux ... 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64
Apache 2.0 Handler
redhat-release-server-6Server-6.6.0.2.el6.x86_64
varnishd (varnish-3.0.7 revision f544cd8)

output from phpinfo():

Code Select

PHP Version => 5.3.29

System => Linux 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64
Build Date => Aug 14 2014 11:48:15
Configure Command =>  './configure'  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-libdir=lib64' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--without-pear' '--with-bz2' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-xpm-dir=/usr' '--enable-gd-native-ttf' '--with-t1lib=/usr' '--without-gdbm' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--with-kerberos' '--enable-ucd-snmp-hack' '--enable-shmop' '--enable-calendar' '--without-mime-magic' '--without-sqlite' '--with-libxml-dir=/usr' '--with-xml' '--with-system-tzdata' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-imap=shared' '--with-imap-ssl' '--enable-mbstring=shared' '--enable-mbregex' '--with-gd=shared' '--enable-bcmath=shared' '--enable-dba=shared' '--with-db4=/usr' '--with-xmlrpc=shared' '--with-ldap=shared' '--with-ldap-sasl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/lib64/mysql/mysql_config' '--enable-dom=shared' '--with-pgsql=shared' '--enable-wddx=shared' '--with-snmp=shared,/usr' '--enable-soap=shared' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--with-curl=shared,/usr' '--enable-fastcgi' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-mysql=shared,/usr/lib64/mysql/mysql_config' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-pdo-dblib=shared,/usr' '--enable-json=shared' '--enable-zip=shared' '--without-readline' '--with-libedit' '--with-pspell=shared' '--enable-phar=shared' '--with-mcrypt=shared,/usr' '--with-tidy=shared,/usr' '--with-mssql=shared,/usr' '--enable-sysvmsg=shared' '--enable-sysvshm=shared' '--enable-sysvsem=shared' '--enable-posix=shared' '--with-unixODBC=shared,/usr' '--enable-fileinfo=shared' '--enable-intl=shared' '--with-icu-dir=/usr' '--with-enchant=shared,/usr' '--with-recode=shared,/usr'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /etc
Loaded Configuration File => /etc/php.ini
Scan this dir for additional .ini files => /etc/php.d
Additional .ini files parsed => /etc/php.d/apc.ini,
/etc/php.d/bcmath.ini,
/etc/php.d/curl.ini,
/etc/php.d/dom.ini,
/etc/php.d/fileinfo.ini,
/etc/php.d/gd.ini,
/etc/php.d/json.ini,
/etc/php.d/mbstring.ini,
/etc/php.d/mcrypt.ini,
/etc/php.d/mysql.ini,
/etc/php.d/mysqli.ini,
/etc/php.d/pdo.ini,
/etc/php.d/pdo_mysql.ini,
/etc/php.d/pdo_sqlite.ini,
/etc/php.d/phar.ini,
/etc/php.d/suhosin.ini,
/etc/php.d/tidy.ini,
/etc/php.d/wddx.ini,
/etc/php.d/xmlreader.ini,
/etc/php.d/xmlwriter.ini,
/etc/php.d/xsl.ini,
/etc/php.d/zip.ini

PHP API => 20090626
PHP Extension => 20090626
Zend Extension => 220090626
Zend Extension Build => API220090626,NTS
PHP Extension Build => API20090626,NTS
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => disabled
IPv6 Support => enabled
Registered PHP Streams => https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip 
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters => zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, mcrypt.*, mdecrypt.*


This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2014 Zend Technologies
    with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH


_______________________________________________________________________


Configuration

apc

APC Support => disabled
Version => 3.1.9
APC Debugging => Disabled
MMAP Support => Enabled
MMAP File Mask => 
Locking type => pthread mutex Locks
Serialization Support => broken
Revision => $Revision: 308812 $
Build Date => Oct 24 2011 08:59:56

Directive => Local Value => Master Value
apc.cache_by_default => On => On
apc.canonicalize => On => On
apc.coredump_unmap => Off => Off
apc.enable_cli => Off => Off
apc.enabled => On => On
apc.file_md5 => Off => Off
apc.file_update_protection => 2 => 2
apc.filters => no value => no value
apc.gc_ttl => 3600 => 3600
apc.include_once_override => Off => Off
apc.lazy_classes => Off => Off
apc.lazy_functions => Off => Off
apc.max_file_size => 1M => 1M
apc.mmap_file_mask => no value => no value
apc.num_files_hint => 1000 => 1000
apc.preload_path => no value => no value
apc.report_autofilter => Off => Off
apc.rfc1867 => Off => Off
apc.rfc1867_freq => 0 => 0
apc.rfc1867_name => APC_UPLOAD_PROGRESS => APC_UPLOAD_PROGRESS
apc.rfc1867_prefix => upload_ => upload_
apc.rfc1867_ttl => 3600 => 3600
apc.serializer => default => default
apc.shm_segments => 1 => 1
apc.shm_size => 32M => 32M
apc.slam_defense => On => On
apc.stat => On => On
apc.stat_ctime => Off => Off
apc.ttl => 0 => 0
apc.use_request_time => On => On
apc.user_entries_hint => 4096 => 4096
apc.user_ttl => 0 => 0
apc.write_lock => On => On

bcmath

BCMath support => enabled

Directive => Local Value => Master Value
bcmath.scale => 0 => 0

bz2

BZip2 Support => Enabled
Stream Wrapper support => compress.bzip2://
Stream Filter support => bzip2.decompress, bzip2.compress
BZip2 Version => 1.0.5, 10-Dec-2007

calendar

Calendar support => enabled

Core

PHP Version => 5.3.29

Directive => Local Value => Master Value
allow_call_time_pass_reference => Off => Off
allow_url_fopen => Off => Off
allow_url_include => Off => Off
always_populate_raw_post_data => Off => Off
arg_separator.input => & => &
arg_separator.output => & => &
asp_tags => Off => Off
auto_append_file => no value => no value
auto_globals_jit => On => On
auto_prepend_file => no value => no value
browscap => no value => no value
default_charset => no value => no value
default_mimetype => text/html => text/html
define_syslog_variables => Off => Off
disable_classes => no value => no value
disable_functions => no value => no value
display_errors => Off => Off
display_startup_errors => Off => Off
doc_root => no value => no value
docref_ext => no value => no value
docref_root => no value => no value
enable_dl => Off => Off
error_append_string => no value => no value
error_log => /var/log/php_errors.log => /var/log/php_errors.log
error_prepend_string => no value => no value
error_reporting => 30711 => 30711
exit_on_timeout => Off => Off
expose_php => Off => Off
extension_dir => /usr/lib64/php/modules => /usr/lib64/php/modules
file_uploads => On => On
highlight.bg => <font style="color: #FFFFFF">#FFFFFF</font> => <font style="color: #FFFFFF">#FFFFFF</font>
highlight.comment => <font style="color: #FF8000">#FF8000</font> => <font style="color: #FF8000">#FF8000</font>
highlight.default => <font style="color: #0000BB">#0000BB</font> => <font style="color: #0000BB">#0000BB</font>
highlight.html => <font style="color: #000000">#000000</font> => <font style="color: #000000">#000000</font>
highlight.keyword => <font style="color: #007700">#007700</font> => <font style="color: #007700">#007700</font>
highlight.string => <font style="color: #DD0000">#DD0000</font> => <font style="color: #DD0000">#DD0000</font>
html_errors => Off => Off
ignore_repeated_errors => Off => Off
ignore_repeated_source => Off => Off
ignore_user_abort => Off => Off
implicit_flush => On => On
include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php
log_errors => On => On
log_errors_max_len => 1024 => 1024
magic_quotes_gpc => Off => Off
magic_quotes_runtime => Off => Off
magic_quotes_sybase => Off => Off
mail.add_x_header => On => On
mail.force_extra_parameters => no value => no value
mail.log => no value => no value
max_execution_time => 0 => 0
max_file_uploads => 20 => 20
max_input_nesting_level => 64 => 64
max_input_time => -1 => -1
max_input_vars => 1000 => 1000
memory_limit => 128M => 128M
open_basedir => no value => no value
output_buffering => 0 => 0
output_handler => no value => no value
post_max_size => 8M => 8M
precision => 14 => 14
realpath_cache_size => 16K => 16K
realpath_cache_ttl => 120 => 120
register_argc_argv => On => On
register_globals => Off => Off
register_long_arrays => Off => Off
report_memleaks => On => On
report_zend_debug => Off => Off
request_order => GP => GP
safe_mode => Off => Off
safe_mode_exec_dir => no value => no value
safe_mode_gid => Off => Off
safe_mode_include_dir => no value => no value
sendmail_from => no value => no value
sendmail_path => /usr/sbin/sendmail -t -i => /usr/sbin/sendmail -t -i
serialize_precision => 100 => 100
short_open_tag => On => On
SMTP => localhost => localhost
smtp_port => 25 => 25
sql.safe_mode => Off => Off
track_errors => Off => Off
unserialize_callback_func => no value => no value
upload_max_filesize => 4M => 4M
upload_tmp_dir => no value => no value
user_dir => no value => no value
user_ini.cache_ttl => 300 => 300
user_ini.filename => .user.ini => .user.ini
variables_order => GPCS => GPCS
xmlrpc_error_number => 0 => 0
xmlrpc_errors => Off => Off
y2k_compliance => On => On
zend.enable_gc => On => On

ctype

ctype functions => enabled

curl

cURL support => enabled
cURL Information => 7.19.7
Age => 3
Features
AsynchDNS => No
Debug => No
GSS-Negotiate => Yes
IDN => Yes
IPv6 => Yes
Largefile => Yes
NTLM => Yes
SPNEGO => No
SSL => Yes
SSPI => No
krb4 => No
libz => Yes
CharConv => No
Protocols => tftp, ftp, telnet, dict, ldap, ldaps, http, file, https, ftps, scp, sftp
Host => x86_64-redhat-linux-gnu
SSL Version => NSS/3.16.2.3 Basic ECC
ZLib Version => 1.2.3
libSSH Version => libssh2/1.4.2

date

date/time support => enabled
"Olson" Timezone Database Version => 0.system
Timezone Database => internal
Default timezone => America/Chicago

Directive => Local Value => Master Value
date.default_latitude => 31.7667 => 31.7667
date.default_longitude => 35.2333 => 35.2333
date.sunrise_zenith => 90.583333 => 90.583333
date.sunset_zenith => 90.583333 => 90.583333
date.timezone => America/Chicago => America/Chicago

dom

DOM/XML => enabled
DOM/XML API Version => 20031129
libxml Version => 2.7.6
HTML Support => enabled
XPath Support => enabled
XPointer Support => enabled
Schema Support => enabled
RelaxNG Support => enabled

ereg

Regex Library => Bundled library enabled

exif

EXIF Support => enabled
EXIF Version => 1.4 $Id$
Supported EXIF Version => 0220
Supported filetypes => JPEG,TIFF

Directive => Local Value => Master Value
exif.decode_jis_intel => JIS => JIS
exif.decode_jis_motorola => JIS => JIS
exif.decode_unicode_intel => UCS-2LE => UCS-2LE
exif.decode_unicode_motorola => UCS-2BE => UCS-2BE
exif.encode_jis => no value => no value
exif.encode_unicode => ISO-8859-15 => ISO-8859-15

fileinfo

fileinfo support => enabled
version => 1.0.5-dev

filter

Input Validation and Filtering => enabled
Revision => $Id: 209a1c3c98c04a5474846e7bbe8ca72054ccfd4f $

Directive => Local Value => Master Value
filter.default => unsafe_raw => unsafe_raw
filter.default_flags => no value => no value

ftp

FTP support => enabled

gd

GD Support => enabled
GD Version => bundled (2.1.0 compatible)
FreeType Support => enabled
FreeType Linkage => with freetype
FreeType Version => 2.3.11
T1Lib Support => enabled
GIF Read Support => enabled
GIF Create Support => enabled
JPEG Support => enabled
libJPEG Version => 6b
PNG Support => enabled
libPNG Version => 1.2.49
WBMP Support => enabled
XPM Support => enabled
libXpm Version => 30411
XBM Support => enabled

Directive => Local Value => Master Value
gd.jpeg_ignore_warning => 0 => 0

gettext

GetText Support => enabled

gmp

gmp support => enabled
GMP version => 4.3.1

hash

hash support => enabled
Hashing Engines => md2 md4 md5 sha1 sha224 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost adler32 crc32 crc32b salsa10 salsa20 haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5

iconv

iconv support => enabled
iconv implementation => glibc
iconv library version => 2.12

Directive => Local Value => Master Value
iconv.input_encoding => ISO-8859-1 => ISO-8859-1
iconv.internal_encoding => ISO-8859-1 => ISO-8859-1
iconv.output_encoding => ISO-8859-1 => ISO-8859-1

json

json support => enabled
json version => 1.2.1

libxml

libXML support => active
libXML Compiled Version => 2.7.6
libXML Loaded Version => 20706
libXML streams => enabled

mbstring

Multibyte Support => enabled
Multibyte string engine => libmbfl
HTTP input encoding translation => disabled

mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.

Multibyte (japanese) regex support => enabled
Multibyte regex (oniguruma) backtrack check => On
Multibyte regex (oniguruma) version => 4.7.1

Directive => Local Value => Master Value
mbstring.detect_order => no value => no value
mbstring.encoding_translation => Off => Off
mbstring.func_overload => 0 => 0
mbstring.http_input => pass => pass
mbstring.http_output => pass => pass
mbstring.http_output_conv_mimetypes => ^(text/|application/xhtml\+xml) => ^(text/|application/xhtml\+xml)
mbstring.internal_encoding => no value => no value
mbstring.language => neutral => neutral
mbstring.strict_detection => Off => Off
mbstring.substitute_character => no value => no value

mcrypt

mcrypt support => enabled
mcrypt_filter support => enabled
Version => 2.5.8
Api No => 20021217
Supported ciphers => cast-128 gost rijndael-128 twofish arcfour cast-256 loki97 rijndael-192 saferplus wake blowfish-compat des rijndael-256 serpent xtea blowfish enigma rc2 tripledes
Supported modes => cbc cfb ctr ecb ncfb nofb ofb stream

Directive => Local Value => Master Value
mcrypt.algorithms_dir => no value => no value
mcrypt.modes_dir => no value => no value

mysql

MySQL Support => enabled
Active Persistent Links => 0
Active Links => 0
Client API version => 5.1.61
MYSQL_MODULE_TYPE => external
MYSQL_SOCKET => /var/lib/mysql/mysql.sock
MYSQL_INCLUDE => -I/usr/include/mysql
MYSQL_LIBS => -L/usr/lib64/mysql -lmysqlclient

Directive => Local Value => Master Value
mysql.allow_local_infile => On => On
mysql.allow_persistent => Off => Off
mysql.connect_timeout => 60 => 60
mysql.default_host => no value => no value
mysql.default_password => no value => no value
mysql.default_port => no value => no value
mysql.default_socket => /var/lib/mysql/mysql.sock => /var/lib/mysql/mysql.sock
mysql.default_user => no value => no value
mysql.max_links => Unlimited => Unlimited
mysql.max_persistent => Unlimited => Unlimited
mysql.trace_mode => Off => Off

mysqli

MysqlI Support => enabled
Client API library version => 5.1.61
Active Persistent Links => 0
Inactive Persistent Links => 0
Active Links => 0
Client API header version => 5.1.73
MYSQLI_SOCKET => /var/lib/mysql/mysql.sock

Directive => Local Value => Master Value
mysqli.allow_local_infile => On => On
mysqli.allow_persistent => On => On
mysqli.default_host => no value => no value
mysqli.default_port => 3306 => 3306
mysqli.default_pw => no value => no value
mysqli.default_socket => no value => no value
mysqli.default_user => no value => no value
mysqli.max_links => Unlimited => Unlimited
mysqli.max_persistent => Unlimited => Unlimited
mysqli.reconnect => Off => Off

openssl

OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013

pcntl

pcntl support => enabled

pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.32 2012-11-30

Directive => Local Value => Master Value
pcre.backtrack_limit => 1000000 => 1000000
pcre.recursion_limit => 100000 => 100000

PDO

PDO support => enabled
PDO drivers => mysql, sqlite

pdo_mysql

PDO Driver for MySQL => enabled
Client API version => 5.1.61

Directive => Local Value => Master Value
pdo_mysql.default_socket => /var/lib/mysql/mysql.sock => /var/lib/mysql/mysql.sock

pdo_sqlite

PDO Driver for SQLite 3.x => enabled
SQLite Library => 3.6.20

Phar

Phar: PHP Archive support => enabled
Phar EXT version => 2.0.1
Phar API version => 1.1.1
SVN revision => $Id: 21d763042eb5769ae0a09dc1118df2b5aae6fb33 $
Phar-based phar archives => enabled
Tar-based phar archives => enabled
ZIP-based phar archives => enabled
gzip compression => enabled
bzip2 compression => enabled
Native OpenSSL support => enabled


Phar based on pear/PHP_Archive, original concept by Davey Shafik.
Phar fully realized by Gregory Beaver and Marcus Boerger.
Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.
Directive => Local Value => Master Value
phar.cache_list => no value => no value
phar.readonly => On => On
phar.require_hash => On => On

Reflection

Reflection => enabled
Version => $Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $

session

Session Support => enabled
Registered save handlers => files user
Registered serializer handlers => php php_binary wddx

Directive => Local Value => Master Value
session.auto_start => Off => Off
session.bug_compat_42 => Off => Off
session.bug_compat_warn => Off => Off
session.cache_expire => 180 => 180
session.cache_limiter => nocache => nocache
session.cookie_domain => .ourdomain.org => .ourdomain.org
session.cookie_httponly => Off => Off
session.cookie_lifetime => 0 => 0
session.cookie_path => / => /
session.cookie_secure => Off => Off
session.entropy_file => no value => no value
session.entropy_length => 0 => 0
session.gc_divisor => 1000 => 1000
session.gc_maxlifetime => 1440 => 1440
session.gc_probability => 1 => 1
session.hash_bits_per_character => 5 => 5
session.hash_function => 0 => 0
session.name => PHPSESSID => PHPSESSID
session.referer_check => no value => no value
session.save_handler => files => files
session.save_path => /var/lib/php/session => /var/lib/php/session
session.serialize_handler => php => php
session.use_cookies => On => On
session.use_only_cookies => On => On
session.use_trans_sid => 0 => 0

shmop

shmop support => enabled

SimpleXML

Simplexml support => enabled
Revision => $Id: 02ab7893b36d51e9c59da77d7e287eb3b35e1e32 $
Schema support => enabled

sockets

Sockets Support => enabled

SPL

SPL support => enabled
Interfaces => Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes => AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException

sqlite3

SQLite3 support => enabled
SQLite3 module version => 0.7-dev
SQLite Library => 3.7.7.1

Directive => Local Value => Master Value
sqlite3.extension_dir => no value => no value

standard

Dynamic Library Support => enabled
Path to sendmail => /usr/sbin/sendmail -t -i

Directive => Local Value => Master Value
assert.active => 1 => 1
assert.bail => 0 => 0
assert.callback => no value => no value
assert.quiet_eval => 0 => 0
assert.warning => 1 => 1
auto_detect_line_endings => 0 => 0
default_socket_timeout => 60 => 60
from => no value => no value
safe_mode_allowed_env_vars => PHP_ => PHP_
safe_mode_protected_env_vars => LD_LIBRARY_PATH => LD_LIBRARY_PATH
url_rewriter.tags => a=href,area=href,frame=src,input=src,form=fakeentry => a=href,area=href,frame=src,input=src,form=fakeentry
user_agent => no value => no value

suhosin


This server is protected with the Suhosin Extension 0.9.29

Copyright (c) 2006-2007 Hardened-PHP Project
Copyright (c) 2007-2008 SektionEins GmbH

Directive => Local Value => Master Value
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
suhosin.coredump => Off => Off
suhosin.disable.display_errors => Off => Off
suhosin.executor.allow_symlink => Off => Off
suhosin.executor.disable_emodifier => Off => Off
suhosin.executor.disable_eval => Off => Off
suhosin.executor.eval.blacklist => no value => no value
suhosin.executor.eval.whitelist => no value => no value
suhosin.executor.func.blacklist => no value => no value
suhosin.executor.func.whitelist => no value => no value
suhosin.executor.include.allow_writable_files => On => On
suhosin.executor.include.blacklist => no value => no value
suhosin.executor.include.max_traversal => 0 => 0
suhosin.executor.include.whitelist => no value => no value
suhosin.executor.max_depth => 0 => 0
suhosin.filter.action => no value => no value
suhosin.get.disallow_nul => 1 => 1
suhosin.get.disallow_ws => 0 => 0
suhosin.get.max_array_depth => 50 => 50
suhosin.get.max_array_index_length => 64 => 64
suhosin.get.max_name_length => 64 => 64
suhosin.get.max_totalname_length => 256 => 256
suhosin.get.max_value_length => 512 => 512
suhosin.get.max_vars => 100 => 100
suhosin.log.file => 0 => 0
suhosin.log.file.name => no value => no value
suhosin.log.phpscript => 0 => 0
suhosin.log.phpscript.is_safe => Off => Off
suhosin.log.phpscript.name => no value => no value
suhosin.log.sapi => 0 => 0
suhosin.log.script => 0 => 0
suhosin.log.script.name => no value => no value
suhosin.log.syslog => no value => no value
suhosin.log.syslog.facility => no value => no value
suhosin.log.syslog.priority => no value => no value
suhosin.log.use-x-forwarded-for => Off => Off
suhosin.mail.protect => 1 => 1
suhosin.memory_limit => 128M => 128M
suhosin.mt_srand.ignore => On => On
suhosin.multiheader => Off => Off
suhosin.perdir => 0 => 0
suhosin.post.disallow_nul => 1 => 1
suhosin.post.disallow_ws => 0 => 0
suhosin.post.max_array_depth => 50 => 50
suhosin.post.max_array_index_length => 64 => 64
suhosin.post.max_name_length => 64 => 64
suhosin.post.max_totalname_length => 256 => 256
suhosin.post.max_value_length => 1000000 => 1000000
suhosin.post.max_vars => 1000 => 1000
suhosin.protectkey => On => On
suhosin.request.disallow_nul => 1 => 1
suhosin.request.disallow_ws => 0 => 0
suhosin.request.max_array_depth => 50 => 50
suhosin.request.max_array_index_length => 64 => 64
suhosin.request.max_totalname_length => 256 => 256
suhosin.request.max_value_length => 1000000 => 1000000
suhosin.request.max_varname_length => 64 => 64
suhosin.request.max_vars => 1000 => 1000
suhosin.server.encode => On => On
suhosin.server.strip => On => On
suhosin.session.checkraddr => 0 => 0
suhosin.session.cryptdocroot => Off => Off
suhosin.session.cryptkey => [ protected ] => [ protected ]
suhosin.session.cryptraddr => 0 => 0
suhosin.session.cryptua => Off => Off
suhosin.session.encrypt => On => On
suhosin.session.max_id_length => 128 => 128
suhosin.simulation => On => On
suhosin.sql.bailout_on_error => Off => Off
suhosin.sql.comment => 0 => 0
suhosin.sql.multiselect => 0 => 0
suhosin.sql.opencomment => 0 => 0
suhosin.sql.union => 0 => 0
suhosin.sql.user_postfix => no value => no value
suhosin.sql.user_prefix => no value => no value
suhosin.srand.ignore => On => On
suhosin.stealth => On => On
suhosin.upload.disallow_binary => 0 => 0
suhosin.upload.disallow_elf => 1 => 1
suhosin.upload.max_uploads => 25 => 25
suhosin.upload.remove_binary => 0 => 0
suhosin.upload.verification_script => no value => no value

tidy

Tidy support => enabled
libTidy Release => 14 June 2007
Extension Version => 2.0 ($Id$)

Directive => Local Value => Master Value
tidy.clean_output => no value => no value
tidy.default_config => no value => no value

tokenizer

Tokenizer Support => enabled

wddx

WDDX Support => enabled
WDDX Session Serializer => enabled

xml

XML Support => active
XML Namespace Support => active
libxml2 Version => 2.7.6

xmlreader

XMLReader => enabled

xmlwriter

XMLWriter => enabled

xsl

XSL => enabled
libxslt Version => 1.1.26
libxslt compiled against libxml Version => 2.7.6
EXSLT => enabled
libexslt Version => 1.1.26

zip

Zip => enabled
Extension Version => $Id: b1a1a3628c4ed0ad78fb0cc4a99b06a56aa281c4 $
Zip version => 1.11.0
Libzip version => 0.10.1

zlib

ZLib Support => enabled
Stream Wrapper support => compress.zlib://
Stream Filter support => zlib.inflate, zlib.deflate
Compiled Version => 1.2.3
Linked Version => 1.2.3

Directive => Local Value => Master Value
zlib.output_compression => Off => Off
zlib.output_compression_level => -1 => -1
zlib.output_handler => no value => no value

Additional Modules

Module Name
readline

Environment

Variable => Value
HOSTNAME => subdomain.ourdomain.org
TERM => xterm
SHELL => /bin/bash
HISTSIZE => 1000
SSH_CLIENT => xxxxxxxxxxxxxxxxxxxx
SSH_TTY => /dev/pts/0
USER => oursysadm
LS_COLORS => rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
MAIL => /var/spool/mail/oursysadm
PATH => /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/oursysadm/bin
PWD => /var/www/html/php
LANG => en_US.UTF-8
HISTCONTROL => ignoredups
SHLVL => 1
HOME => /home/oursysadm
LOGNAME => oursysadm
SSH_CONNECTION => xxxxxxxxxxxxxxx
LESSOPEN => ||/usr/bin/lesspipe.sh %s
HISTTIMEFORMAT => %F %T 
G_BROKEN_FILENAMES => 1
_ => /usr/bin/php
OLDPWD => /home/oursysadm

PHP Variables

Variable => Value
_SERVER["HOSTNAME"] => subdomain.ourdomain.org
_SERVER["TERM"] => xterm
_SERVER["SHELL"] => /bin/bash
_SERVER["HISTSIZE"] => 1000
_SERVER["SSH_CLIENT"] => xxxxxxxxxxxxxxxx
_SERVER["SSH_TTY"] => /dev/pts/0
_SERVER["USER"] => oursysadm
_SERVER["LS_COLORS"] => rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
_SERVER["MAIL"] => /var/spool/mail/oursysadm
_SERVER["PATH"] => /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/oursysadm/bin
_SERVER["PWD"] => /var/www/html/php
_SERVER["LANG"] => en_US.UTF-8
_SERVER["HISTCONTROL"] => ignoredups
_SERVER["SHLVL"] => 1
_SERVER["HOME"] => /home/oursysadm
_SERVER["LOGNAME"] => oursysadm
_SERVER["SSH_CONNECTION"] => xxxxxxxxxxxxxxxxxxxxx
_SERVER["LESSOPEN"] => ||/usr/bin/lesspipe.sh %s
_SERVER["HISTTIMEFORMAT"] => %F %T 
_SERVER["G_BROKEN_FILENAMES"] => 1
_SERVER["_"] => /usr/bin/php
_SERVER["OLDPWD"] => /home/oursysadm
_SERVER["PHP_SELF"] => -
_SERVER["SCRIPT_NAME"] => -
_SERVER["SCRIPT_FILENAME"] =>
_SERVER["PATH_TRANSLATED"] =>
_SERVER["DOCUMENT_ROOT"] =>
_SERVER["REQUEST_TIME"] => 1437585040
_SERVER["argv"] => Array
(
    [0] => -
)

_SERVER["argc"] => 1


Failed solutions

Turned off level1 caching.
Cleared cache.
--No joy.

Default cookies length 60
Use subdomain independent cookies--yes
Use database driven sessions--yes
Allow users to go back to cached pages--yes
Seconds before timeout 2880
--No joy.

Changed cookie name.
--No joy.

Checked phpinfo.php for session.save_path
/var/lib/php/session is writable and full of sessions
--No joy.

Advice: "experiment with database driven sessions and local cookies versus subdomain independent cookies"
Result: BTDT, many times, shot myself in the foot, recovered
--No joy.

Tried this fix before realizing it is irrelevant:

http://www.simplemachines.org/community/index.php?topic=529293.msg3756898#msg3756898

ALTER TABLE test_log_errors CHANGE session session char(64) NOT NULL;
ALTER TABLE test_log_online CHANGE session session char(64) NOT NULL;
ALTER TABLE test_sessions CHANGE session_id session_id char(64) NOT NULL;


ALTER TABLE test_log_errors CHANGE session session char(64) NOT NULL;# MySQL returned an empty result set (i.e. zero rows).

ALTER TABLE test_log_online CHANGE session session char(64) NOT NULL;# 1 row affected.

ALTER TABLE test_sessions CHANGE session_id session_id char(64) NOT NULL;# 21 rows affected.

Version 2.1 is supposed to have the large fields and fix the problem with SHA256 session IDs, so I installed that on the Red Hat server.
-- No joy.

Closed browser.
Cleared all SMF browser cookies.
Was able to log in.
Can't log out.

Include databse query in the error log--yes
Disable administration security--yes

Search engine friendly URLs is off by default.

Turned SQL errors in log on.
Logged out OK.  Twice.

repair_settings.php
Queryless URLs: Value not found!
--turned off (recommended)
Output compression: off (recommended)
-- No joy.

Found out that suhosin.simulation is already
ON in my distro. 
-- No joy.

Failed workaround:

Enable Maintenance Mode
Allow guests to view Forum
Check updates; do any updating needed
Prevent guests from viewing the Forum
Turn off Maintenance Mode

-- No joy.  Even though I've hit the infallible trigger, I can't get updates in the Administration Center, much to my surprise and dismay.  Maintenance Mode itself triggers the bug.


Workarounds

Install updates by hand.

Ignore "Session verification failed. Please try logging out and back in again, and then try again."  If I just pick the same item from the screen, it works the second time.  Any changes I made and saved are made and saved.  I'm still logged in as an administrator, and I can get work done with a few extra clicks now and again.

Preserve my soul in peace.

Users, so far, are not bothered by the bug, as far as I can tell.

Not done

I have not tried any hacks in the code base.

I have not tried to answer my question by myself using my limited and totally amateur debugging skills, such as they are.

I have not read every post in the SMF Forum about problems with Suhosin.  Once I found out that it is a known condition affecting some people and that there is no agreed-upon diagnosis or cure, I quit reading. 

If you've gotten this far, THANKS for listening!

If you're not reading this, peace be with you and yours anyway.   :)

Marty

margarett

#1
July 23, 2015, 10:28:22 AM
Suhosin hey?...

Can you try to check the "Disable hostname lookups" in ACP --> Server Settings?
(although this time I don't think it'll work :( )
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Martin X. Moleski, SJ

#2
July 23, 2015, 11:03:33 AM
Quote from: margarett on July 23, 2015, 10:28:22 AM
Suhosin hey?...

Yup.

Came with the Red Hat distro from Rackspace.

Quote
Can you try to check the "Disable hostname lookups" in ACP --> Server Settings?
(although this time I don't think it'll work :( )

No joy.

I had seen that suggestion in a Suhosin thread, but failed to find the right checkbox.  Thanks for the tip where to look!  ("I'm melting!")

Marty

margarett

#3
July 23, 2015, 11:06:10 AM
I'm sorry, I have no idea then...

Maybe --> https://www.google.pt/?gws_rd=ssl#q=disable+suhosin
?
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Martin X. Moleski, SJ

#4
July 23, 2015, 10:08:42 PM
Quote from: margarett on July 23, 2015, 11:06:10 AM
I'm sorry, I have no idea then...

Maybe --> https://www.google.pt/?gws_rd=ssl#q=disable+suhosin [nofollow]


Yes, I found that page yesterday.  Here are the key instructions:

3) Open the php.ini file and add the following code to the file:

    [suhosin]
    ; Misc Options
    suhosin.simulation = On

    [On indicates disabled, Off indicates enabled]


But, by default, suhosin.simulation is already ON in my distro.

And simulation "ON" means "Suhosin is off."

Some day--not tonight--I will try to read the relevant code and try to answer the question, "What difference do Guest Access or Maintenance Mode make in handling AJAX queries?"  They do make a difference; the difference causes in the installation to fail on my server; if I'm lucky, I may be able to spot the difference.

Martin X. Moleski, SJ

#5
July 24, 2015, 12:45:51 PM
Fact: Suhosin users report problems switching from http: to https:.

Sessions get mangled.

Wild guess: what if excluding guests or going into maintenance mode causes some queries to be sent via https:?

Experiment 1: set whole Forum in SSL in 2.1.beta2 (yes, I know this is a 2.0.xx board, but 2.0.xx doesn't have the "magic tick box."

Experiment 2: set 2.0.10 Forum to have "https:" as the $boardurl.  Lost all css, but still could see that the version info is not shown on the page.

Experiment 3: force cookies to be secure on 2.0.10 Forum using "https:" as $boardurl.  No joy.

Experiment 4 (totally accidental): return Forum to insecure cookies.  Change $boardurl in Settings.  Log out.  Chrome comes back.  Log in.  Now--for one brief shining moment!--I have live updates in the Administrative Center.   :o

Experiment 5: Log out.  Run Chrome.  Log in.  Problem not fixed in Chrome.  Log in with Firefox.  Problem still fixed.

Experiment 6: Screw around with manual insertion of https into Chrome URL; select secure Cookies.  Get confused.  Try things that I didn't keep track of.  Reach condition in which manually changing from http to https in address bar of Chrome fixes bug; changing back restores bug.


Hmmm.

Once I log in securely, the system with both browsers seems to remember that login, and when I am logged in securely, the bug seems to go away.

Experiment 7: Hack url in address bar, changing from http to https.  Login, once I remember the correct credentials (I am now the proud owner of four SMF installations on two servers).  No sign of the bug.

I'm going to mark this SOLVED, although I wish I had other options (SOLVED BUT NOT UNDERSTOOD).

THANKS for the help, Margarett et al.!

margarett

#6
July 24, 2015, 01:08:43 PM
Weird indeed :o
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair
Print
Go Up Pages1
User actions
Advertisement: