search

modxcms / evolution

This repository was Frozen. Welcome to the new evolution of MODX Evolution!
https://github.com/evolution-cms/
178 stars 207 forks source link

Attempt to access "mysite/functions.php" results in a parser error instead of an expected 404 page. #1068

Closed garolou closed 7 years ago

garolou commented 7 years ago

Attempt to access "amarosia.com/functions.php" or "amarosia.com/functions.php.html" results in a parser error instead of an expected 404 page.

The file functions.php does not exist thus a 404 is expected. I get a parser error from my location and from the hacker's location, however was reported as a 404 from another user.

Evolution 1.2 and the previous version PHP Version 5.5.36

Error : syntax error, unexpected 'global' (T_GLOBAL), expecting '{'

Error information   
ErrorType[num]  PARSING ERROR[4]
File                          /home/amarosia/public_html/manager/includes/document.parser.class.inc.php(1341) : eval()'d code
Line                            2
Source                  Snippet
Current Snippet       functions

Backtrace
DocumentParser->executeParser()
index.php on line 128
DocumentParser->prepareResponse()
manager/includes/document.parser.class.inc.php on line 2118
DocumentParser->outputContent()
manager/includes/document.parser.class.inc.php on line 2184
DocumentParser->parseDocumentSource('[[functions]]')
manager/includes/document.parser.class.inc.php on line 658
DocumentParser->evalSnippets('[[functions]]')
manager/includes/document.parser.class.inc.php on line 1968
DocumentParser->_get_snip_result('functions')
manager/includes/document.parser.class.inc.php on line 1393
DocumentParser->evalSnippet(string $var1, array $var2)
manager/includes/document.parser.class.inc.php on line 1443
Deesen commented 7 years ago

Has your site been hacked recently and you tried to clean it up? Looking at https://www.google.com/search?q=site%3Aamarosia.com this was the case. There is maybe some corrupt code left for example in /.htaccess ?

Deesen commented 7 years ago

Maybe this also helps https://github.com/modxcms/evolution/issues/979#issuecomment-264714589

garolou commented 7 years ago

I was hacked last week. I patched, and basically deleted everything and reloaded the then current version. One hour or so ago I upgraded to 1.2 hoping this issue would be eliminated.

Here is my .htaccess

# For full documentation and other suggested options, please see
# http://rtfm.modx.com/evolution/1.0/administration/friendly-url-solutions
# including for unexpected logouts in multi-server/cloud environments
# and especially for the first three commented out rules

#php_flag register_globals Off
AddDefaultCharset utf-8
#php_value date.timezone Europe/Moscow

#Options +FollowSymlinks
RewriteEngine On
RewriteBase /

# Fix Apache internal dummy connections from breaking [(site_url)] cache
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule .* - [F,L]

# Rewrite domain.com -> www.domain.com -- used with SEO Strict URLs plugin
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} (.+)$
RewriteRule ^(.*)$ http://www.%1/$1 [R=permanent,L] . 

# without www
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^example\.com [NC]
#RewriteRule (.*) http://example.com/$1 [R=301,L]

# without www all domains
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# Exclude /assets and /manager directories and images from rewrite rules
RewriteRule ^(manager|assets)/.*$ - [L]
RewriteRule \.(jpg|jpeg|png|gif|ico)$ - [L]

# For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

# Reduce server overhead by enabling output compression if supported.
#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
    RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(\()
    RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
    RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
    RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
    RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
    RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
    RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Allow from all
        Deny from env=bad_bot
    </IfModule>

    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        <RequireAll>
            Require all Granted
            Require not env bad_bot
        </RequireAll>
    </IfModule>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
    Order Allow,Deny
    Allow from All
    # uncomment/edit/repeat next line to block IPs
    # Deny from 123.456.789
</Limit>
Deesen commented 7 years ago

htaccess looks new indeed. Do you have a snippet called "functions"? Have re-checked hidden plugins?

garolou commented 7 years ago

Yes there is a snippet called "functions" part of "formbuilder"... Renaming it and clearing cache manually did not change outcome.

Evocheck has not revealed anything yet. Will compare version 1.2 with previous, maybe some plugins have been dropped in this latest version that are still residing on my site.

garolou commented 7 years ago

Thanks alot for your help Deesen! I Found a reference to functions.php in the ressources. I'll need to seek out why it's there, if it's my doing or a hacker. At least I know this issue is limited to my site. I'll fix it tonight after work, for now I'll put my site offline in case there are other side effects I don't know about.

Thanks again Deesen