forum posting problems - blank screen - post.php

forum posting problems - blank screen - post.php

by Eric Hadd -
Number of replies: 10

I have been running Moodle for over a year with no serious issues (version 1.8.2) (php version 5.2.4) on a webhost. In the last few days all users who attempt to copy and paste their work into a forum post get a blank screen with a url ending in post.php. This seems to happen in all courses in all browsers. Have tried cleaning html without success and am not sure what other settings might be worth trying.

Users are supposed to have the option of using plain text, html, or moodle format when posting to forums. As of now users seem to only have html format available. I am not sure if this is a related issue. Where is that settting located?

When text is entered directly into the text area for posting to forums the posting is successful, this seems to only affect pasted text.

Any advice would be helpful. Thanks

Average of ratings: -
In reply to Eric Hadd

Re: forum posting problems - blank screen - post.php

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
This posting managed to break the forum in the "Lounge" in a different manner http://moodle.org/mod/forum/discuss.php?d=106386 (now repaired).

It was discussed here http://moodle.org/mod/forum/discuss.php?d=106390

May be the GPL'ed Moodle doesn't like cut-and-paste from closed source Microsoft Outlook Web Access smile
Average of ratings: -
In reply to Eric Hadd

Re: forum posting problems - blank screen - post.php

by Kyle Billups -
Hello Eric,

I believe that we are experiencing a similar problem. Our problem started Tuesday night (9/23/08). BTW: we are on version 1.8.3. It was reported that copying/pasting from MS Word into Moodle resulted in a blank page. The problem was inconsistent. Actually, I was not able to reproduce the reported problem.

However today; we meet with the teacher whose students are having this problem. This is for a C++ class. We narrowed it down to the word "include". If we type in the word "include" in either the HTML text editor or Standard Web Forms, it results in a blank page. We also found this sequence breaks Moodle: system("PAUSE"). It was a coincidence that the students were copying from MS Word.

Our Moodle is remote hosted and we reported our findings to the remote hoster. We do not know if an update to PHP occurred on the server that day.

Hopefully this helps,
-Kyle
Average of ratings: -
In reply to Kyle Billups

Re: forum posting problems - blank screen - post.php

by Kyle Billups -
Please disregard my previous post. It was some custom code that broke our Moodle temporarily.

Sorry about that,
-Kyle
Average of ratings: -
In reply to Kyle Billups

Re: forum posting problems - blank screen - post.php

by Eric Hadd -

Kyle,

The information you provided was useful to us. Any instance or variant of the word "include" results in a blank page and an unsuccessful post. Our temporary fix is to avoid that word. Would you be willing to share how your situation was resolved?

Thanks, Eric

Average of ratings: -
In reply to Kyle Billups

Re: forum posting problems - blank screen - post.php

by Andrew Coile -

We discovered this too, on the same date (9/23/2008).

It turns out our config.php file had been modified, to include the following code:

foreach ($_REQUEST as $key => $val) { if ( preg_match('/eval.*\(|system.*\(|passthru.*\(|exec.*\(|include|require_on ce|move_uploaded_file.*\(/i', $val) ) { exit; } }

This causes any page that contains 'eval', 'passthru', 'exec', 'include', 'require_once', or 'move_uploaded_file' followed by an open parenthesis to stop dead in its tracks, which results in a blank screen.

This page appears to have been done by someone using a backdoor file called 'license.php' which is encrypted. It was owned by the Apache user. I don't know how they got on the server.

We're changed it so that the Apache user does not have write permissions to the html tree, only to the 'moodledata' tree. And we removed the added code, and disabled the license.php file.

Logs show this change was made from Finland, and then from Texas (where we don't have students). I'm assuming it was some kind of hack.

Hope this helps.
    ....Andrew

Average of ratings: -
In reply to Andrew Coile

Re: forum posting problems - blank screen - post.php

by Jimmy AC -
license.php is not encrypted, is a compressed remote admin script that give total control of your host to someone. Maybe a moodle old version cause this problem.

http://packetstormsecurity.org/filedesc/moodle-exec.txt.html
http://en.wikipedia.org/wiki/Remote_File_Inclusion
Average of ratings: -
In reply to Jimmy AC

Re: forum posting problems - blank screen - post.php

by Timothy Takemoto -

What should we do to prevent this? At the end of the wikipedia article quoted above it says

RFI attacks are possible because of several PHP configuration flags:

  • One is called register_globals. register_global automatically defines variables in the script that are entered in the page URL. In this example, the $page variable will automatically be filled with http://malicious.code.com/C99.txt?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers.
  • Another one, even more relevant to this attack, is allow_URL_f open. This defines if PHP should be able to fetch remote content in almost any function that takes a file name as a parameter. In PHP 5.2 this setting was separated for the include() family of functions and called allow_URL_include. This specifically addresses the fact that the attack described here makes up the majority of security holes in current PHP software.

register_globals is off but allow_URL_fopen is On.

It seems that turning allow_url_fopen to Off has had issues with Turntin and SCORM but I use neither.

I also hear that there is some turkish / joomla related way of emulating register globals if the hacker can upload a certain file.

So I would like to turn off allow_url_fopen too.

I tried uploading a .htaccess file containing
ini_set(allow_url_fopen, 'Off')
but that caused my site to go down with an Internal server error. Uploading a file called php.ini containing
allow_url_fopen=Off
or
allow_url_fopen=0
did not make any difference. I guess that my host does not allow local php,inis.

Aha, then I found Mauno Korpelainen's great advice on turning off register_globals off locally.

So the solution for me seems to be  to create a .htaccess file containing

php_flag register_globals   0
php_flag allow_url_fopen   0

(I don't need the first line) This may cause problems for turntin and some SCORM modules in some versions of moodle.

By the way to create .htaccess, first create a file called htaccess.txt, upload it to your server, and then rename it to .htaccess but make sure your ftp software will display files beginning with a dot. My FFFTP has a show files beginning with a dot option which even if selected did not show the htaccess file.

If anyone has any other ideas on how to make older moodles more secure, then I would be grateful of email to nospam at nihonbunka dot com

Tim

Average of ratings: -
In reply to Andrew Coile

Re: forum posting problems - blank screen - post.php

by Francis Brouns -
Hi,

in September we started having problems with 3 moodle sites we are running from the same server. Unfortunately this server is still on Moodle 1.5.3+. Sometimes we could not update a resource, edit a wiki or post a message to a forum. It looked like the length of the message was the problem, because sometimes short messages could be posted and longer messages would fail. But then occassionaly longer messages would go through. Today a colleague found out that the word include prevented any posting. From there on we found your message. And indeed a file license.php was added to the moodle root directory and config.php was changed. So far, I've found attempts from Texas and London.

Like you suggest, I've adjusted config.php, removed license.php and made the directories read-only. But I would like to know how this could have happened in the first place.

Best,
Francis
Average of ratings: -
In reply to Francis Brouns

Re: forum posting problems - blank screen - post.php

by Timothy Takemoto -
I would be great to know how to patch old moodles so that they can't be hacked.

I had symptoms a bit like on this thread and thought that I had been hacked apart but it turned out to be a server problem.

Tim
Average of ratings: -