Forum for discussing general topics related to Couch.
8 posts Page 1 of 1
Hi,

I've inherited a website for a non-profit club which is built around CouchCMS. It's currently using CouchCMS v2.0 (as far as I can see) and PHP v7.0. I've learnt enough to find my way around and make some basic changes to the site, but I don't have an extensive knowledge of CouchCMS, or the full detail of the site. The site isn't massively complex and I'm not currently planning any major changes to the site - just adding the odd page here and there.

I need to upgrade from PHP v7.0, ideally to v7.3 to avoid extra support costs from our hosting provider. Are there likely to be any problems with this move in terms of compatibility?

Also, would it make sense to upgrade CouchCMS to a newer version, or am I OK with v2.0.

Sorry if this is covered elsewhere, but I couldn't find anything on version compatibility on thsi version mix in the documentation or forum.

Thanks,
Mark.
Hi Mark,

I don't see any problem upgrading the PHP version - just make sure you take a full database backup first (advisable before all major operations on any site).

As for upgrading Couch, all later versions have fixes and enhancements. However, if you are happy with your site as is, you may stay put with the existing version.
Thanks KK.
For feedback, I upgraded to PHP 7.3 today and everything went smoothly and seems to work.

Thanks for the support.

Cheers,
Mark.
Sorry for reopening an old thread, but I was about to open a new thread with the same title!
I moved my domain to a new account and that included ftp the whole site to the new account and copy database. Everything seems to work ok except that when I try to SAVE content to the home page (via admin) I crash with a 500 Internal Server Error. Doing a SAVE from all the other pages works ok. The error log looks like this:

Code: Select all
[Fri Mar 04 17:36:25.568452 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/tags.php on line 4121
[Fri Mar 04 17:36:25.568455 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/tags.php on line 5809
[Fri Mar 04 17:36:25.568462 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/tags.php on line 6760
[Fri Mar 04 17:36:25.568465 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/tags.php on line 7364
[Fri Mar 04 17:36:25.568469 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/addons/relation/relation.php on line 260
[Fri Mar 04 17:36:25.568474 2022] [fcgid:warn] [pid 243468:tid 140188432164608] [client 66.33.200.4:45788] mod_fcgid: stderr: PHP Deprecated:  Array and string offset access syntax with curly braces is deprecated in /home/clupre/covinasunriserotary.com/couch/addons/inline/inline.php on line 122


I was using PHP 7.4 Fast CGI so I downgraded to 7.2 Fast CGI and I'm still getting the crash. Is PHP the real issue here? Why does the log say PHP Deprecated?
Why does the log say PHP Deprecated?

You are using an older version of Couch - this issue has long been fixed.

As for the error, had the issue been with Fast CGI etc., the error would have likely shown up on *all* pages.
But since this happens only on a specific page, I think the reason should be localized to some code on that particular page.

I'd expect the error log to show details of the 500 error; you sure there is nothing there pertaining it?
I read that curly braces were deprecated in 7.4 so I backed it down to 7.3 Fast CGI. Then I submitted the page and got the error again. But my error log looks different now (no curly brace issues):

Code: Select all
[Sat Mar 05 12:40:31.330627 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Warning. Pattern match "(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|\\\\$\\\\(|\\\\$\\\\(\\\\(|`|\\\\${|<\\\\(|>\\\\(|\\\\(\\\\s*\\\\))\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:s[\\\\\\\\'\\"]* ..." at ARGS:f_main_rightside[2][sliderdesc]. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "158"] [id "932105"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: ;set</span> when OSC clothed our last bunch of kids! This brings our grand total to over 35,000 that have new clothes since our project began&nbsp;in 1994.<br />\\x0d\\x0a<br />\\x0d\\x0a<br />\\x0d\\x0a<a href=\\x22operation-santa-clothes.php\\x22>Read more here</a> about this great project on our OSC page.</p>\\x0d\\x0a</div found within ARGS:f_main_rightside[2][sliderdesc]: <div class=\\x22shadowWhite\\x22 images=\\x22/images/kids-shopping.jpg\\x22 style=\\x22max-width: 380px; background-image:url('/im..."] [severi [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
[Sat Mar 05 12:40:31.331899 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:s[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*(?:t[\\"\\\\^]*e[\\"\\\\^]*m[\\"\\\\^]*(?:p[\\"\\\\^]*r[\\"\\\\^]*o[\\"\\\\^]*p[\\"\\\\^]*e ..." at ARGS:f_main_rightside[2][sliderdesc]. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "294"] [id "932115"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ;set</span> when OSC clothed our last bunch of kids! This brings our grand total to over 35,000 that have new clothes since our project began&nbsp;in 1994.<br />\\x0d\\x0a<br />\\x0d\\x0a<br />\\x0d\\x0a<a href=\\x22operation-santa-clothes.php\\x22>Read more here</a> about this great project on our OSC page.</p>\\x0d\\x0a</div found within ARGS:f_main_rightside[2][sliderdesc]: <div class=\\x22shadowWhite\\x22 images=\\x22/images/kids-shopping.jpg\\x22 style=\\x22max-width: 380px; background-image:url('/im..."] [sev [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
[Sat Mar 05 12:40:31.333041 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Rule 7fa5c6f20118 [id "932130"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "366"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
[Sat Mar 05 12:40:31.333371 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Rule 7fa5c51044e0 [id "932140"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "412"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
[Sat Mar 05 12:40:31.333436 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Rule 7fa5c51044e0 [id "932140"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "412"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
[Sat Mar 05 12:40:31.346234 2022] [:error] [pid 1499:tid 140349482030848] [client 24.180.61.28:57505] [client 24.180.61.28] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.covinasunriserotary.com"] [uri "/couch/"] [unique_id "YiPKv8MJPmaINKCkUhp7RAAAAA8"], referer: https://www.covinasunriserotary.com/couch/?o=index.php&q=edit/ece823b99cd53de27f9072328a082f3f/
I think I can see the problem -
your site seems to be using 'mod_security', an Apache addon, that acts as a security firewall to protect the site from hacking attempts.

Unfortunately, it can often get paranoid and come up with false alarms - like what is happening in your case where a legitimate post is rubbing it the wrong way (a particular string that you are saving seems to be the problem).

I think you need to take this issue up with your hosting provider and ask them to, perhaps, disable the particular rule that is triggering the 500 error.

Hope this helps.
8 posts Page 1 of 1
cron