Joomla 1.5 quirk in [20151206] – Core – Session Hardening patch

The Joomla 1.5 (EOL) patch to the session.php file has a quirk in it that raises a warning notice. The advisory is

[20151206] – Core – Session Hardening

but if you blindly copy that file to your system then you will end up with a web site that raises many error messages,

Notice: Only variable references should be returned by reference in /libraries/joomla/session/session.php on line 343

I thought there would be a fix for this but when I googled for that message I found thousands of hits to broken Joomla web sites. Yes, hundreds of web sites are busted in that they have lots of error messages ! The fix I have done is easy, edit the NEW session.php file you have downloaded and edit this as follows to pass a variable back,

--- /home/admin/Downloads/JOOMLASESSEIONHARDENFIX/sessionNEWSESSIONHARDEN.php
 +++ /home/admin/Downloads/JOOMLASESSEIONHARDENFIX/sessionNEWBORKEDEDITED.php
 @@ -339,8 +339,13 @@
 $error = null;
 return $error;
 }
 -
 - return $this->data->getValue($namespace . '.' . $name, $default);
 +
 +// removed this next line as it generates a Notice: Only variable references should be returned by reference error
 +// return $this->data->getValue($namespace . '.' . $name, $default);
 +// and define a variable with the data to be returned....
 +
 + $getnamespacenamedata = $this->data->getValue($namespace . '.' . $name, $default);
 + return $getnamespacenamedata;
 }

/**

If you don’t know what to do with this change to get rid of that error message then you are going to have to find someone who has some PHP/Joomla experience to edit the files for you.

Acer Aspire ONE no WIFI in Ubuntu due to hardware switch state

Intermittently when an Acer Aspire ONE suspends in Ubuntu 14.10 then the WIFI does not come back. The hardware switch (a non-latching slider switch on the front right hand side of the laptop) has no effect. Rebooting and disabling/enabling Networking has no effect.

The rfkill list command will show,
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: yes

One way I found to clear this is to power down the laptop and then hold the WIFI switch to the right i.e. in the on position and then use the power switch to turn on the laptop as normal but keep the WIFI switch held on. You should see the little orange WIFI  LED blink once and once the laptop is starting to boot up after the BIOS display then release the WIFI switch so it flips back to the left/off position.

The WIFI should be back to normal now and the rfkill list will show Hard blocked: no.

Windows XP stalls when opening DOCX.

A client has a Windows XP machine (due to be migrated) and it was very slow to open DOCX documents. This stalled Outlook when Outlook launched DOCX attachments and it stalled explorer from the File Manager too. The fix was simple – right mouse the document properties and reset the “Open with…” to the same Office program and the problem goes away.

List of emails not being displayed in top folder in Thunderbird after upgrade

After upgrading from a prior version 6 of Thunderbird to version 31 the top level folder for one account did not show a list of emails. The emails were there and when you clicked on the display it displayed the full email but the space in the list was all blank rows and there was no column headings of subject, dates or recipients as you would expect.

The fix is trivially simple – click the folder display options and reset to the default. You can now fine-tune what you want displayed.

thunderbird-missing-display

 

 

memtest86+ cannot load a ramdisk with an old kernel image

This error happens when you use UNetbootin to create an Ubuntu disk and it incorrectly adds a ramdisk to the memtest86+ boot option.

Until UNetbootin fix their code then cursor down to the “Test memory” option and hit tab and then at the boot options remove the “initrd=/ubninit” so that the command line is now just…

/install/mt86plus

and then hit enter and Memtest86+ will now run as expected.

My Ubuntu 14.04 currently has UNetbootin 585-2ubuntu1 and this quirk will possibly be fixed in newer releases but sometimes all you have lying around is an emergency install USB/disk so always good to know how to get around  a problem rather than downloading new code.

Reporting fake Facebook profiles (group post bumping)

Facebook Group Post Bumping

Spammers or trolls like to bump posts on Facebook groups so that they push down other legitimate posts. It could be for ideological, monetary or trolling reasons.

This section looks at stopping post bumping on a group that’s done by a Fake Profile. This is a group member (we’ll call BUMPER) who may or may not have blocked the admins (or blocked the “victim”) but what the BUMPER does is create a fake profile and copy the profile image and name from a “victim”  then post and delete the post and then deactivate their account.

All the group members see is the “victim” posting on the group but can never find the post (as it is deleted) but the effect is that the post is bumped to the top of the group recent posts.  If the victim is a trusted commenter then the other group members then think the post was important. In effect the bumper is stealing the reputation of the victim.

Or the bumper is a troll and is trying to get other legitimate people deleted from a group. The group members complain that the “victim” is bumping posts. The admins then send a warning to the “victim” (who will obviously deny they bumped the thread as they didn’t ). If the BUMPER keeps bumping posts using the victim fake profile details then eventually the admins would probably give up and block the “victim”. The bumper then updates their profile name and picture to their next victim and the cycle repeats.

To trap this you have two ways:

Finding and Reporting Fake Profile

The first way is to get the image location of the fake profile image and extract the Facebook ID from the group notifications. You need to turn on notifications for all posts on the group. Then when the bump happens then you will see the post notification with the fake profile image. You need to not click on the notification but identify the  “background-image: url(‘   ‘); details. This varies by browser but you right-mouse and “inspect element” or you can look at the page info and under media hunt for the relevant background image and then copy that image url. If you have no idea what this is then get a IT/web friend to help.

Here is a example fake profile image (I have changed the URL),
hxxps://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t1.0-1/c0.0.56.56/p56x56/10561831_1556141646027754_1263222964170380984_s.jpg

You can see 3 sets of decimal numbers between underscores and the Facebook ID (fbid) is the middle set of numbers between the underscores e.g. 1556141646027754

To visit this profile simply visit, facebook.com/1556141646027754  i.e. facebook.com/fbid

If the page is NOT visible then they have Deactivated their profile. Before you ask they have NOT blocked you because if they blocked you then you would NOT see the fake post notification.

You now have to wait and pounce. You have to work out the pattern of  bumps. If it is utterly random then a bit of a problem but if it is triggered on e.g. legitimate posts rising to a top of a group and then immediately that happens the BUMPER bumps a stale post then you may be able to see their profile.

When you do get through then you see a timeline that will contain images and profile picture copied from the real profile and you quickly need to report the profile as a Fake that is impersonating you. If you see the page and then it goes then the person is deactivating the profile. You need to retry until you trap them in the Facebook reporting system.

Post bumping but no notifications

If you see post bumps but there is no notifications then you or the fake profile has a block. If others (or admins) are complaining that YOU are bumping posts then that means a fake profile is imitating you and has blocked you. You need the admins or others to get the fbid and then get them to do the step above with finding the Facebook ID.

Admins trapping posts

If as an admin you see post bumping and deleting then as an admin you need to have an idea when it happens and then switch the group to admin approval only. Then the BUMPER post will be trapped in the admin approval queue and can’t be deleted. If the admins can’t see the details then that means they are blocked so they need to promote someone else and then get that someone else to block permanently (and ideally report to Facebook). Whoever does the ban/block need to verify they are blocking the fake profile and not rely on the name.

If the group is a busy one then this may be tedious and you may have to revert to Finding the Fake profile ID and then find the name in the group member list and verify the target is the fake profile (by examining the facebook ID name) and then block that fake profile.

Broken upstart causes Internal Error, No file name for udev

I was upgrading x2goserver and it stalled on * Cleaning up stale X2Go sessions. This is a normal log message within the /etc/init.d/x2goserver start() and it then runs x2gocleansessions after it logs this message. There shouldn’t have been any problems with this but it was just stuck there so I killed the dpkg and then I retried to add or remove anything but found that udev would not configure e.g. when I did sudo apt-get autoremove then I got,

Setting up udev (175-0ubuntu13.1) ...
invoke-rc.d: unknown initscript, /etc/init.d/udev not found.
dpkg: error processing udev (--configure):
 subprocess installed post-installation script returned error exit status 100!

Within synaptic when I tried to re-install udev then I got,

E: Internal Error, No file name for udev:amd64

The trick is that you can’t just re-install udev but must also re-install upstart.

This is because udev files link to upstart files and it is possible that a broken install has udev pointing at /etc/init.d/udev but that file is a link to /lib/init/upstart-job but the upstart is missing for some reason.

There may be other packages that have this kind of dependency e.g. winbind ufw squid3 and so on and certainly the x2goserver didn’t want to start properly. If you look in the /etc/init and see broken links to /lib/init/upstart-job then your problem should be fixed if you re-install upstart first.

As an aside after the upstart and udev was all cleaned up then the x2goserver removal and installation then worked.

Using xboxdrv on Ubuntu to fault find PS3 Playstation controller

A Playstation PS3 controller has drift on the left hand analog stick. If you have the xboxdrv installed then when you plug the PS3 controller into a linux machine and then if you do,

 sudo xboxdrv --detach-kernel-driver

in a command console and hit the PS button on the controller then the command console displays the key/stick values continuously. For my broken controller the “X1” when idle is 224 something and not 128.

Obviously you could replace the potentiometer but that’s assuming you can get the parts but you can clean and refurbish the potentiometers.

To do this unsolder just the single potentiometer from the controller PCB. It is held in by plastic tabs to the housing of the analog stick assembly so lever it out on its own.

You now have a single small potentiometer with 3 pins. The centre pin is at the 1/2 way resistance point. There should be a small plastic split pin on the centre of the tiny potentiometer that removes the rotary plastic part. I used a cotton-bud and alcohol to clean the internals of the potentiometer.

I also re-sprung the rotary part by using a pin/knife to bend up the small contact springs so that it made a good contact even when wiggled. That’s the important part – you have to test it with a multimeter and make sure it goes from 0-10 k Ohm from the centre pin to the outside pins.

On my sample controller the potentiometer was marked “103” and this mean 10 K Ohm. The outside pins are the full 10 KOhm value and the middle pin varies from 0 to 10 Kohm. I made sure it went over this range scale and stayed solid even when the centre rotary part was wiggled. A loose spring contact will mean jerky game play.

vTiger with PHP 5.4 ( session_unregister function removed)

With PHP 5.4 onwards the session_unregister function is removed. This means that you will get a “Fatal error: Call to undefined function session_unregister()”

vTiger 5.4 (the version number is just happen stance and has no relation to the PHP version number) code needs the following cludge to get around this. In /modules/Users/Authenticate.php around about line 69 then do the following change,

//Security related entries end
// TODO: session_unregister was removed in php 5.4.0 so must remove this backwards compatibility switch.
if (function_exists('session_unregister')) {
    session_unregister('login_password');
    session_unregister('login_error');
    session_unregister('login_user_name');
} else {
    unset($_SESSION['login_password']);
    unset($_SESSION['login_error']);
    unset($_SESSION['login_user_name']);
}

Kohana 2.3 (used by blue.box) and PHP 5.4

If you are using Blue.box to configure your FreeSWITCH softswitch then blue.box uses Kohana 2.3 and this has a quirk with PHP 5.4 which means that you will end up with a blank page (even after a clean git pull) plus a spurious array to string conversion error.

For the BLANK screen issue then the fix is,

See https://gist.github.com/kemo/2881489 for a working fix. Note that that patch isn’t exactly lined up on the line numbers – my git diff is,

diff --git a/system/core/Kohana.php b/system/core/Kohana.php
index 56b44af..ee6c832 100644
--- a/system/core/Kohana.php
+++ b/system/core/Kohana.php
@@ -677,7 +677,7 @@ final class Kohana {
                if (ob_get_level() >= self::$buffer_level)
                {
                        // Set the close function
-                       $close = ($flush === TRUE) ? 'ob_end_flush' : 'ob_end_c
+$close = ($flush === TRUE) ? 'ob_end_flush' : 'Kohana::_ob_end_clean';

                        while (ob_get_level() > self::$buffer_level)
                        {
@@ -686,7 +686,7 @@ final class Kohana {
                        }

                        // This will flush the Kohana buffer, which sets self::
-                       ob_end_clean();
+Kohana::_ob_end_clean();

                        // Reset the buffer level
                        self::$buffer_level = ob_get_level();
@@ -1604,6 +1604,30 @@ final class Kohana {

                return $written;
        }
+ /**
+ * Ends the current output buffer with callback in mind
+ * PHP doesn't pass the output to the callback defined in ob_start() since 5.4
+ *
+ * @param callback $callback
+ * @return boolean
+ */
+ protected static function _ob_end_clean($callback = NULL)
+ {
+ // Pre-5.4 ob_end_clean() will pass the buffer to the callback anyways
+ if (version_compare(PHP_VERSION, '5.4', '<'))
+ return ob_end_clean();
+
+ $output = ob_get_contents();
+
+ if ($callback === NULL)
+ {
+ $callback = arr::get(ob_list_handlers(), ob_get_level() - 1);
+ }
+
+ return is_callable($callback)
+ ? ob_end_clean() AND call_user_func($callback, $output)
+ : ob_end_clean();
+ }

 } // End Kohana

For the array to string conversion error you see the sort of useful orange trace back Kohana error page and this,

An error was detected which prevented the loading of this page. If this problem persists, please contact the website administrator.

bluebox/libraries/doctrine/lib/Doctrine/Query/Abstract.php [1103]:

Array to string conversion

To fix this you need to do changes to Abstract.php and Lib.php which is basically making a new function arrayDiffSimple and then adding that new function to the Lib.php.

diff --git a/bluebox/libraries/doctrine/lib/Doctrine/Lib.php b/bluebox/libraries
index 26c796d..d6b5c94 100644
--- a/bluebox/libraries/doctrine/lib/Doctrine/Lib.php
+++ b/bluebox/libraries/doctrine/lib/Doctrine/Lib.php
@@ -268,6 +268,45 @@ class Doctrine_Lib
         }
     }

+
+    // Code from symfony sfToolkit class. See LICENSE
+    // code from cto at verylastroom dot com
+    /**
+     * arrayDiffSimple
+     *
+     * array arrayDiffSimple ( array array1 , array array2 )
+     *
+     * Like array_diff
+     *
+     * arrayDiffSimple() has exactly the same behavior than array_diff, but can
+     * only 2 arrays. PHP versions > 5.4.0 generate some NOTICE if you use arra
+     * sometimes because of array_diff internal behavior with (string) casts.
+     * This method solves the problem.
+     *
+     * @param array $array1
+     * @param array $array2
+     * @static
+     * @access public
+     * @return array
+     */
+    public static function arrayDiffSimple($array1, $array2)
+    {
+        $diff = array();
+
+        foreach($array1 as $key => $val) {
+            if(!isset($array2[$key])) {
+                $diff[$key] = $val;
+            } else {
+                if(is_array($array2[$key]) && !is_array($val)) {
+                    $diff[$key] = $val;
+                }
+            }
+        }
+
+        return $diff;
+    }
+
+
     /**
      * Makes the directories for a path recursively.
      *
diff --git a/bluebox/libraries/doctrine/lib/Doctrine/Query/Abstract.php b/bluebo
index 981603d..6bc2820 100644
--- a/bluebox/libraries/doctrine/lib/Doctrine/Query/Abstract.php
+++ b/bluebox/libraries/doctrine/lib/Doctrine/Query/Abstract.php
@@ -1098,9 +1098,9 @@ abstract class Doctrine_Query_Abstract
         $componentsAfter = $copy->getQueryComponents();

         $this->_rootAlias = $copy->getRootAlias();
-       
+
         if ($componentsBefore !== $componentsAfter) {
-            return array_diff($componentsAfter, $componentsBefore);
+               return Doctrine_Lib::arrayDiffSimple($componentsAfter, $componen
         } else {
             return $componentsAfter;
         }
@@ -2070,4 +2070,4 @@ abstract class Doctrine_Query_Abstract
     {
         return $this->getDql();
     }
-}
\ No newline at end of file
+}

vTiger 5.4.0 enable backup quirk

I use the vTiger CRM product and it has a unusual quirk with enabling backups. Whilst the user interface (CRM settings -> Backup server) has check boxes to enable local and FTP backup the script actually tries to alter the following file, /user_privileges/enable_backup.php and in that set the two flags to a value of either true or false,

$enable_local_backup = 'true';

$enable_ftp_backup = 'false';

As the script has no permissions to do that then it gets a fopen() permission error (Warning: fopen(/*****/user_privileges/enable_backup.php): failed to open stream: Permission denied in /****/modules/Settings/SaveEnableBackup.php on line 43) and so when the ajax refreshes the screen it looks as if nothing has been done.

Without messing with your directory permissions then you can edit the /user_privileges/enable_backup.php manually.

Even if you manage to get the directory details into the local backup it will not work unless that enable local backup flag is set to true. It will say that it has done a backup but it will not save any file.

Old Java version uninstall stuck with mismatched uninstaller

A client of mine had finally got long-haul WIFI into their area. Before that they were on Satellite Internet with a very low and capped quota (4 GB/month). Consequently things like Java and Windows updates were manual. As they were in the middle of no-where then not too many site visits by me either.

I remote desk-topped into their machine and was doing updates for them. The Java was version 6 so I added version 7 and tried to uninstall version 6. It wouldn’t do this. The uninstaller dialog box referred to a different version from what it said was installed in the Control panel installed applications list and it didn’t  remove the installed version anyway but just exited.

The fix I found was to download the most recent Java version 6 (update 39) and install that and then that updated the installed software list and flushed the problem. I then uninstalled that new version and it worked – Java 6 was gone.

How to Fix Stalled Outlook incoming email.

If the Outlook emails fail to be picked up then it is probably some junk SPAM and probably malformed using international character sets. To fix this,
a) In Outlook pick,
Tools -> Send/Receive -> “< the broken account name>” Only -> Download Inbox Headers

b) Outlook will now download just the headers. The first one that comes in (i.e. the oldest one) is probably the bad message that is breaking Outlook e.g. if it is Monday and you are getting emails up until Saturday evening then the next message on Saturday evening is probably the bad message.

c) Right-mouse on that message and select “Open”. It will not have any local message but will ask what you want to do. Pick the last option of,
“Mark to delete this message from the server”

And then do OK.
d) Now do your normal Send/Receive All and all the backlogged messages should download normally and any marked for deletion emails (as above) will be automatically deleted.

Site Landing Page fronting WordPress

A client wanted a site-wide landing page with some basic images and a few navigation buttons to front-end their WordPress site and other places like their Etsy shop and Social media links.  Out of the box WordPress allows you to define a home page (see under the admin options for Settings->Reading) but that isn’t exactly what they wanted as that is still within WordPress and so has the header, menus and footer and all the other stuff related to a WordPress site unless the theme allows for all of these to be turned off.

When you connect to the URL without any path or a resource file name e.g. www.openmutual.org rather than for example www.openmutual.org/blog/example.txt then (using Apache) the file that will be presented if a file is not specified in a URL is decided by the mod_dir  DirectoryIndex directive (or in IIS the <defaultDocument> elements).

WordPress by default has an index.php file in its root and usually this is what is normally used. If your hoster has setup their DirectoryIndex similar to the above then the index.html file will override the index.php If so then you are good to go. If not then you will have to get your hoster (or it may be you) to get index.html being dished out in preference to index.php. The two options open to my client are to,

a) move the WordPress out of the site root e.g. move the files to /blogging or similar subdirectory and then add a static web page e.g. index.html
b) or add an index.html with static code in it that will be run first before index.php

The option a) is obvious but I wanted to avoid that for the moment so I picked b) to see if that would work. Please read the “quirks” at the bottom and test this on your own test beds before playing with a client site !

Step 1) On WordPress create a new page with any name and slug (we’ll called it My Home and have a slug of my-home )
Step 2) Copy the contents of the existing Home page to this new page (use control-C and control-V or similar)
Step 3) There is usually no need to change anything in Settings->Reading for the front page displays but you cannot set it to a Static page that is navigable in the menu. The reason being is that whatever you set as the WordPress Static front page is given a slug of /. If it is already set to posts of Home then you can leave it as that.
Step 4) Edit your Theme menu in Appearance -> Menus and remove the existing “Home” or whatever has a slug of your site root (/) and replace it with your new copied home page (in my example “My Home”)
Step 5) You can add the original Home page back but give it a different name e.g. “Site Root” as it will jump you back to the non-Wordpress file.
Step 6) Test that your tweaked WordPress site still works OK. You won’t notice many problems yet.
Step 7) Create an index.html file and have at least the one link to your new “My Home” WordPress slug e.g. <a href=”./my-home”>My Blog Site</a>
Step 8) Upload and check the new file gets priority. If not then check the Apache mod_dir  DirectoryIndex directive is set correctly e.g.

<Directory /> 
DirectoryIndex index.html index.php 
</Directory>

That is all is needed. Now when web visitors hit your web site they will get the index.html and they can then navigate from there. When they click any WordPress link slug from that landing page then they then go to your WordPress site and will stay there unless you have given them a menu option to escape back up to the index.html.

Quirks:

  • You MUST set Permalink Settings to something other than the default of …site/?
  • When you are in Media Manager then when you try and view an attachment then it will go to the attachment page and not the media file link.
  • When you insert an image into a post or page then do not use the attachment post ID but the media file link.
  • This may not work on other web servers – I have only done this on Apache

Bypass LCD fan hardware POST on SONY all-in-one VGC-V2M

A client has a SONY VGC-V2M all-in-one PC. It is like a fat TV – a P4 based motherboard in a black case with built-in LCD, DVD, and all the usual sockets.

If it halts on a LCD FAN hardware error then the computer is still usable until you can investigate further. At the American Megatrends BIOS POST then do the following sequence to get Windows booted,

F2     to get to BIOS
ESC    to exit from bios it will ask to discard or not
<return or enter>  to pick the OK to discard

now Windows will continue to boot.  Now is obviously the time to make sure your backups are up to date !

Adding Memory

As an aside it is actually easy to upgrade the memory in this all-in-one. You slide the back up a few inches until it catches and then it sort of pops off by moving it back away from the case. How it latches is some locking tabs that fit through gates into a slide so you have to slide the back up until the tabs are aligned at the gates and then it easily pops off backwards. Don’t force it.

The memory is under the metal panel on the right hand side (looking from the back). Motherboard has two slots and AFAIK it is 1 GB max of DDR PC3200 400 Mhz CL3 or similar per slot. You probably have 512 MB fitted and running Windows XP so for routine Office use just fit another 512 MB for the cheapest upgrade as Windows XP is now unusable rubbish on only 512 MB but fine on 1GB. Maximum is 2 GB in total i.e. 1GB+1GB.