Order Details Page Error 500 From Javascript
Eddie Kominek
When trying to view an order, I'm getting the following server error:
index.php?option=com_easystore&view=order&layout=edit&id=1148:63 For further info see en.wikipedia.org/wiki/Self-XSS
admin.vendors.js?1.2.4:1
GET injoylurecoursing.store/administrator/index.php?option=com_easystore&task=/api.appConfig&_method=get×tamp=1727101013598 500 (Internal Server Error)
(anonymous) @ admin.vendors.js?1.2.4:1
xhr @ admin.vendors.js?1.2.4:1
ht @ admin.vendors.js?1.2.4:1
Promise.then
_request @ admin.vendors.js?1.2.4:1
request @ admin.vendors.js?1.2.4:1
T.<computed> @ admin.vendors.js?1.2.4:1
(anonymous) @ admin.vendors.js?1.2.4:1
queryFn @ 6102.js:1
fetchFn @ admin.vendors.js?1.2.4:1
p @ admin.vendors.js?1.2.4:1
i @ admin.vendors.js?1.2.4:1
fetch @ admin.vendors.js?1.2.4:1
executeFetch @ admin.vendors.js?1.2.4:1
onSubscribe @ admin.vendors.js?1.2.4:1
subscribe @ admin.vendors.js?1.2.4:1
(anonymous) @ admin.vendors.js?1.2.4:1
Ua @ admin.vendors.js?1.2.4:1
fl @ admin.vendors.js?1.2.4:1
Eu @ admin.vendors.js?1.2.4:1
(anonymous) @ admin.vendors.js?1.2.4:1
C @ admin.vendors.js?1.2.4:1
O @ admin.vendors.js?1.2.4:1I have AdminTools installed.
Ofi Khan
Accepted AnswerThe developer team has shared their feedback. Please go to this location:
administrator/components/com_easystore/src/Helper/
and replace SettingsHelper.php file with the attached file. You need to unzip the file and then replace.
Ofi Khan
Accepted AnswerHello Eddie Kominek
Apology for the inconvenience. Please share your administrator access here to check the issue. Use the Hidden Content box to share the credentials. Make sure that you have a full site backup before sharing.
Best regards
Eddie Kominek
Accepted AnswerI'm sorry, I don't think my company is comfortable giving SA credentials out.
Here are a few lines from the error log:
[Thu Sep 26 05:34:29.789663 2024] [fcgid:warn] [pid 945888:tid 140404601390656] [remote 152.86.83.129:58918] mod_fcgid: stderr: PHP Warning: file_get_contents(www.joomshaper.com/products/easystore/payments.json): Failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden, referer: injoylurec
oursing.store/administrator/index.php?option=com_easystore&view=order&layout=edit&id=1151
[Thu Sep 26 05:34:29.789716 2024] [fcgid:warn] [pid 945888:tid 140404601390656] [remote 152.86.83.129:58918] mod_fcgid: stderr: in /home/dh_cw7k92/injoylurecoursing.store/administrator/components/com_easystore/src/Helper/SettingsHelper.php on line 192, referer: injoylurecoursing.store/administrator/index.ph
p?option=com_easystore&view=order&layout=edit&id=1151I'm on shared hosting; I cannot alter the php.ini for "allow_url_fopen = On". This file is probably something that needs to be included in your installed package.
Ofi Khan
Accepted AnswerIt is difficult to check the matter by the error log. Please take a full site backup with Akeeba Backup in ZIP format and share here. Follow this tutorial. I will check it on my localhost.
Eddie Kominek
Accepted AnswerI'm sorry, now you want me to install a 3rd party package on my production server to perform a full-backup of my site, including my users table? Ofi, what are you looking for besides error logs? I would think what I linked above would be enough to go on.
I double checked my php.ini and I have allow_url_fopen ON. It's a 403 forbidden on requesting that file. I tried a wget from ssh, which was successful:
[pdx1-shared-a1-36]$ wget www.joomshaper.com/products/easystore/payments.json
--2024-09-26 06:50:50-- www.joomshaper.com/products/easystore/payments.json
Resolving www.joomshaper.com (www.joomshaper.com)... 172.66.40.119, 172.66.43.137
Connecting to www.joomshaper.com (www.joomshaper.com)|172.66.40.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7135 (7.0K) [application/json]
Saving to: ‘payments.json’
payments.json 100%[====================================================================================================================================================================================================>] 6.97K --.-KB/s in 0s
2024-09-26 06:50:51 (76.1 MB/s) - ‘payments.json’ saved [7135/7135]CURL works fine as well.
It looks like this function in SettingsHelper.php is tripping at the file_get_contents().
/**
* Get Payment plugin list
*
* @return mixed
*/
public static function getPluginSchema()
{
$cachePath = JPATH_CACHE . '/easystore';
$cacheFile = $cachePath . '/payments.json';
$url = 'www.joomshaper.com/products/easystore/payments.json';
$content = '';
if (!file_exists($cachePath)) {
Folder::create($cachePath, 0755);
}
if (file_exists($cacheFile) && (filemtime($cacheFile) > (time() - (24 * 60 * 60)))) {
if (ini_get('allow_url_fopen')) {
$content = file_get_contents($cacheFile);
} else {
$handle = fopen($cacheFile, "r");
$content = fread($handle, filesize($cacheFile));
fclose($handle);
}
} else {
if (ini_get('allow_url_fopen')) {
$content = file_get_contents($url);
} else {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($ch);
curl_close($ch);
}
if (!empty($content)) {
File::write($cacheFile, $content);
}
}
if (empty($content)) {
return [];
}
return json_decode($content);
}Could your webserver at joomshaper.com be blocking a request by my server at injoylurecoursing.store (75.119.206.5)? 403 Forbidden returned by your server would be on your end, correct?
Eddie Kominek
Accepted AnswerI'v also disabled my AdminTools (also an Akeeba product) by disabling the WAF plugin and renamed my .htaccess with no luck. curl and wget both work with AdminTools and .htaccess enabled.
Eddie Kominek
Accepted AnswerI can force the CURL else like this:
if (ini_get('allow_url_fopen') && false) {
and everything works. Would you guys mind looking into your end to see if anything is forbidding my IP or why the php fopen would fail?
Stuart Clark
Accepted AnswerMore to the point - WHY is EasyStore "dialing home" to JoomShaper for a function which should be hosted on the customer's local server???
How do we as customers of JoomShaper know what details of our customers they might be stealing by these calls to Joomshaper.com???
Ofi Khan
Accepted AnswerWe are stealing nothing here. I sincerely ask you to check your choice of words. You are using harsh or attaching words which does not feel co-operative for our relation.
Stuart Clark
Accepted AnswerI said might.
The point is very valid - if there is a function i EasyStore which is contacting an external host / server - in this case www.joomshaper.com/products/easystore/payments.json - there is a genuine privacy concern unless you can tell us EXACTLY what is being transmitted to and from that endpoint.
JoomShaper need to be able to accept critisism - if something doesn't work it needs to be called out! That is ALL I have done since purchasing EasyStore. I'm sorry if you don't like that, but ultimately all I want is a functional, bug free, secure system which can be used in production websites!
So - please don't even comment about "co-operation and relationships" - especially to someone who has spent hundreds of hours beta testing for you - for FREE!
Eddie Kominek
Accepted AnswerGood integration with the Joomla API and use of the Http class. I can wait until this goes out with the next patch, but for those who don't like hacking 3rd party packages' php, this is a good fix. Thanks for the developer attention to this and the preference of CURL.