fopen() problems

Help
2010-02-03
2013-05-28
  • Hello everyone

    - I changed my server to solve the problem of 'fopen()'.

    http://www.aapa.org.ar/search/

    - Now I get the following Warning in index.php file:

    Warning: fopen(http://www.aapa.org.ar/search/show.php?records=all&submit=Cite&showRows=5&citeOrder=creation-date&client=inc-refbase-1.0&wrapResults=0)
    : failed to open stream: HTTP request failed! HTTP/1.1 500 Internal Server Error in /home/aapaorg/public_html/search/includes/include.inc.php on line 5217

    - My server's administrator says that 'fopen()' function is enable, allow_url_fopen = On.

    Check this configuratión in the URL : http://www.aapa.org.ar/search/info.php

    - Another error appears in the 'option show all', I think that should be the same problem.

    "Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, webmaster@aapa.org.ar and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

    Any ideas?, thanks for the help

     
  • Something similar had been reported once previously, where GET queries led to 500 Internal Server Errors, while post queries were fine.  Don't know if we really nailed down the cause.  Some security extension to AMP stacks will lead to this, but it is hard to diagnose the problem from what we've been given so far.

    Good, generic advice:

    Did you take a look at your servers error log, may be it contains some further information. Also, try to temporarily set 'error_reporting' in your 'php.ini' file to 'E_ALL' and enable 'display_errors':

    error_reporting  =  E_ALL
    display_errors = On
    

    You may also send phpinfo() results to the developers.

    -Rick

     
  • Thanks

    I will try your suggestion and send you the results

     
  • Rick,

    We solved the problem.

    The problem was the Apache Module's  mod_security. It's detected fopen's url as 'Generic SQL injection'.
    link of mod_security´s logs : http://3vectores.com/info/aapa.pdf

    Is there a way that the code does not violate security?.

    Thanks

    Nicolas

     
  • mod_security cannot differentiate between legitimate SQL queries (which are being made) & SQL injections (which refbase does take efforts to prevent).  It is curious to see that the POSTed queries went through just fine.  It wouldn't be any more secure, but you can have mod_security not complain if you changed the GET forms to POSTs in refbase.