Settings->Custom_Fields->Select_box->Options not working

cjsuccessteam · Post by **cjsuccessteam** » Tue Jul 19, 2016 2:12 am

Script URL: http://cjsuccessteam.net/support/
Version of script: 2.6.7
Hosting company: CJ Success Team LLC
URL of phpinfo.php: http://cjsuccessteam.net/support/phpinfo.png (phpinfo is disabled for security reasons)
URL of session_test.php: http://cjsuccessteam.net/support/session_test.php
What terms did you try when SEARCHING for a solution: PHP Junkyard Forum, Google, Hesk Knowledgebase, readme.html

Write your message below:
After upgrading from Hesk 2.6.6 to 2.6.7 we noticed that when we go to Settings -> Custom Fields -> Options (for Select box only) instead of seeing the Select box options page we get routed back to the root domain for the website. Options for Text field work normally. We did try disabling one Select box Custom Field, then re-enabling it, and re-entering the Select box field options, this went normally for initial setup, but after performing a Save and then attempting to click Options for the Select box again - the same problem occurred.

Both Custom Fields for Select box(es) and Text field(s) work fine when creating/updating tickets. This is only a problem when attempting Settings -> Custom Field -> Options (for Select box). We didn't attempt to do was a complete reinstall of Hesk 2.6.7.

Post by **Klemen** » Tue Jul 19, 2016 8:37 am

Do you have mod_security enabled on your server? Ask your hosting company to check if any rules are being triggered for your "admin/options.php" file.

Here are some mod_security rules that are known to cause false triggers, but there could be others (mod security audit log should have the answer):
viewtopic.php?f=13&t=5498

cjsuccessteam · Post by **cjsuccessteam** » Tue Jul 19, 2016 1:47 pm

Yes, mod_security is on. It appears each time we try to select Options for a Select box it is triggering the rule "950901: SQL Injection Attack: SQL Tautology Detected". We did report this to our admin maintenance staff and asked them to try to prevent these false positives from happening. However it should be noted that none of the mod_security rules were updated/changed in the past year or so, so why this would suddenly be an issue with Hesk is puzzling to us, unless it's due to some recent update to Hesk that is now triggering certain mod_security rules, which weren't being triggered before.

This is a dedicated server, so we do our own maintenance, so we are aware of what tweaks and modifications are made to our server.

Post by **Klemen** » Tue Jul 19, 2016 3:05 pm

The options.php file never interacts with the database nor has it changed in the 2.6.7 update.

My guess is one of the select options is causing the false trigger. The options are passed to the options.php in a query string and that is what mod_security examines/detects.

I bet you can create a new select field with just "Test" and "Test2" options and successfully edit it?

Post by **Klemen** » Tue Jul 19, 2016 3:11 pm

P.s.: I had a look at rule 950901 and it's probably being triggered because one of the options has text enclosed in a pair of quotes? The rule checks for various quote chars:

Code: Select all

'"`´’‘

The audit log should show exact matched data that caused the trigger.

cjsuccessteam · Post by **cjsuccessteam** » Thu Jul 21, 2016 3:49 am

Klemen, our maintenance admins white-listed mod security rules 950901, and 981257 for the account that Hesk is installed on. No sooner than that was done when we attempted the Options settings change again for any of the Select boxes but now we've triggered yet a different mod security rule, 981245. We will again ask our maintenance admins to also white-list this rule for this account. They inform me that white-listing certain rules for only certain accounts poses the least risk to our dedicated server.

It's unfortunate, but with popular domains hackers/hacking attacks are a very common occurrence, so we must constantly be vigilant for security concerns in order to keep our domains safe, up, and running properly. That means leaving ModSecurity enabled, but with minor changes to allow for normal operation of applications like Hesk.

Regarding your comment on special characters in any Select box field entries, the only special characters in use (have been since we installed your product years ago) are as follows: [:] colon, [-] dash, [.] period/dot, [/] forward slash, [(] left parenthesis, [)] right parenthesis, and [?] question mark. I'm sorry but there was no use of quotation marks in any of the Select box Options fields.

I did try creating a new Select box field, per your suggestion, giving it a field name of 'Test' (no quotes), and Options entries of Test1, Test2 - then saved this. As you suspected I was able to click Options and re-edit these values successfully. The previously entered Select box fields I am unable to re-edit (Options) are: Domain Visited, Product, and Issue Type.

If you would like I can send you a copy of the hesk_settings.inc.php file in a private message? That way you can know for certain if anything we have entered into the settings is causing the unusual number of mod security rule issues.

Ron

cjsuccessteam · Post by **cjsuccessteam** » Thu Jul 21, 2016 3:57 am

The data that triggered the 981245 rule was:
GET /*****(URL masked)*****/options.php?i=custom4&q=REQUIRED%20-%20Select%20your%20Product%20from%20this%20list%20%23HESK%23-%20This%20Is%20Not%20A%20Product%20Issue%20-%23HESK%23Bonus%20Product%20or%20Item%23HESK%23Graphics%3A%20StackVideoPak%20Personal%23HESK%23Graphics%3A%20StackVideoPak%20Unlimited%23HESK%23Graphics%3A%20StackVideoPak%20While%20Label%23HESK%23Graphics%3A%20SVP%20Graphics%20Pak%23HESK%23Graphics%3A%20SVP%20Mega%20Video%20Pak%23HESK%23Media%3A%20SellingBlogAds%23HESK%23Membership%3A%20FREE%2FSilver%23HESK%23Membership%3A%20Purchased%2FGold%23HESK%23Membership%3A%20Purchased%2FPlatinum%23HESK%23Other%3A%20EmailBoostr%23HESK%23Software%3A%20Alexa%20Ranker%23HESK%23Software%3A%20Blog%20Updater%20Standard%23HESK%23Software%3A%20Blog%20Updater%20Professional%23HESK%23Software%3A%20Backlink%20Renegade%23HESK%23Software%3A%20Blog%20Commenter%23HESK%23Software%3A%20Forum%20Renegade%23HESK%23Software%3A%20Keyword%20Master%23HESK%23Software%3A%20Master%20License%20(TopDogIMSoftware)%23HESK%23Software%3A%20Niche%20Generator%23HESK%23Software%3A%20Social%20Master%23HESK%23Software%3A%20Stats%20Blaster%23HESK%23Software%3A%20Stealth%20Backlink%20Sniper%23HESK%23Software%3A%20Tweet%20Magnate%23HESK%23Software%3A%20Twitter%20Bot%23HESK%23Software%3A%20Wait%20N%20Reply%23HESK%23Software%3A%20WP%20Spy%20(Not%20Plugin%2FPro%2FOnline%2FWL)%23HESK%23Software%3A%20WP%20Spy%20Online%23HESK%23Software%3A%20WP%20Spy%20Pro%20Online%23HESK%23Software%3A%20WP%20Spy%20White%20Label%23HESK%23Training%3A%20Web%202.0%20Breakout%23HESK%23WP%20Plugin%3A%20Auto%20Post%20Wiz%23HESK%23WP%20Plugin%3A%20AutomaticBonusDelivery%23HESK%23WP%20Plugin%3A%20Comment%20Reward%20Wiz%23HESK%23WP%20Plugin%3A%20Content%20Secure%20Wiz%23HESK%23WP%20Plugin%3A%20Content%20Spinner%20Wiz%23HESK%23WP%20Plugin%3A%20Duplicate%20Examiner%20%26%20Now%20Or%20Never%23HESK%23WP%20Plugin%3A%20Duplicate%20Examiner%20Wiz%23HESK%23WP%20Plugin%3A%20EasyWP%23HESK%23WP%20Plugin%3A%20FB%20Infiltrator%23HESK%23WP%20Plugin%3A%20FTPWarmup%23HESK%23WP%20Plugin%3A%20Now%20Or%20Never%20Wiz%23HESK%23WP%20Plugin%3A%20Optin%20Wiz%23HESK%23WP%20Plugin%3A%20Redirect%20Buddy%23HESK%23WP%20Plugin%3A%20Rotation%20Genie%23HESK%23WP%20Plugin%3A%20Secrets%20Video%20Tutorial%20%26%20WP%20Text%20Expander%23HESK%23WP%20Plugin%3A%20Voting%20Wiz%23HESK%23WP%20Plugin%3A%20WP%20Lockdown%23HESK%23WP%20Plugin%3A%20WP%20Share%23HESK%23WP%20Plugin%3A%20WP%20Social%20Mage%201-Site%23HESK%23WP%20Plugin%3A%20WP%20Social%20Mage%20Developers%23HESK%23WP%20Plugin%3A%20WP%20Social%20Mage%20Professional%23HESK%23WP%20Plugin%3A%20WP%20Social%20Mage%20White%20Label%23HESK%23WP%20Plugin%3A%20WP%20Social%20Mage%20(Multiple%20Products)%23HESK%23WP%20Plugin%3A%20WP%20Social%20Miner%23HESK%23WP%20Plugin%3A%20WP%20Spam%20Renegade%23HESK%23WP%20Plugin%3A%20WP%20Spy%23HESK%23WP%20Plugin%3A%20WP%20Spy%20Pro%23HESK%23WP%20Plugin%3A%20WP%20Spy%20White%20Label%23HESK%23WP%20Plugin%3A%20WP%20Text%20Expander%20Wiz%23HESK%23WP%20Plugin%3A%20WPOptimizer%23HESK%23Not%20CJSuccessTeam%2FTopDogIMSoftware%20Product%23HESK%23-%20The%20Product%20Is%20Not%20Listed%20-&t=select&m=255

And the Action Description:
Access denied with redirection to http://cjsuccessteam.net/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`])|(?:like\\s*?[\"'`]\\%)|(?:[\"'`]\\s*?like\\W*?[\"'`\\d])|(?:[\"'`]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*?\\w+\\s*? ..." at ARGS:q.

If this information helps...

Post by **Klemen** » Thu Jul 21, 2016 5:40 am

It's a complicated regex and a complicated GET query (full of potential trigger words), hence all the false alerts.

The good news is the custom fields handling has been completely rewritten for Hesk 2.7.0 so when it's released it should hopefully help put an end to Options related mod_security false alerts.

Until 2.7.0 is available you can:
- disable rules
- make changes
- enable back rules

It is also possible to disable rules per file/directory only, so your staff could disable them for the options.php file only and keep them active for the rest of the server.

mkoch227 · Post by **mkoch227** » Fri Jul 22, 2016 2:54 pm

Klemen wrote:The good news is the custom fields handling has been completely rewritten for Hesk 2.7.0

Out of curiosity, would you be able to elaborate on how custom fields are being redone? I was planning on a custom field overhaul for Mods for HESK, but I would rather wait at this point depending on how much is being changed.

Post by **Klemen** » Fri Jul 22, 2016 8:06 pm

They are being moved from the settings file to the database along with several improvements:

- increased number to 50
- able to translate
- able to tie to categories
- public/private
- reorder

Here's the new interface from my development version:
http://www.hesk.com/extras/270/custom_fields.png

I expect to have most of 2.7.0 ready in August, I will release a beta version on the forum so you can test and see the changes/code.

cjsuccessteam · Post by **cjsuccessteam** » Sat Jul 23, 2016 3:46 am

Klemen, sounds good on the 2.7.0 enhancements. For now I guess this problem is resolved on our part. Our server maintenance admins decided to just white-list this entire account in ModSecurity (for now) since they were getting tired of "playing whackamole" with the account and the ModSecurity rules issues. LOL

Once they did that, the issues with Hesk Custom Field Options went away. As I mentioned to you before, we lease our own dedicated server (from Leaseweb, Virginia U.S.), but we pay a company a monthly service fee to handle much of the day-to-day drudge work that dedicated server maintenance often involves. It's a flat fee so we really aren't bothered opening multiple service tickets for issues like this, but it is certainly easier when Hesk is running smoothly without such hiccups. Looking forward to 2.7.0! Great product btw.

Ron

PHPJunkyard support forum

Settings->Custom_Fields->Select_box->Options not working

Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working

Re: Settings->Custom_Fields->Select_box->Options not working