Firefox PHP

No addon hook enabled for module

Posted by ttsp 
No addon hook enabled for module
October 03, 2014 02:30PM
Hi everyone!

We've found some fatal errors in a server log file with a message:
Quote
Phorum
No addon hook enabled for module "event_logging" in /path/to/Phorum/addon.php on line 125
This messages caused a search engine crawler, it seems it cached some links when the module was enabled. The module "event_logging" is disabled now.
Is it right behavior that disabled module cause fatal errors in this cases or we should to fix something to prevent it?



Edited 1 time(s). Last edit at 10/03/2014 02:31PM by ttsp.
Re: No addon hook enabled for module
January 24, 2019 04:12AM
Someone is trying to hack my phorum using some creative queries like the following:

Quote

User info:

Anonymous user
User IP address = 198.46.142.166

Additional details:

Message:

PHP error: <h1>Modscript Error</h1>No addon hook enabled for module "recent_messages' aND BeNChMaRK(2999999,Md5(NoW())) AnD '1"

PHP error generated at /portal/addon.php:125

Back trace:

Function trigger_error called at
{path to Phorum}/addon.php:125
----

Request info:

REQUEST_URI = /portal/addon.php?0,module=recent_messages%27%20aND%20BeNChMaRK%282999999%2CMd5%28NoW%28%29%29%29%20AnD%20%271
QUERY_STRING = 0,module=recent_messages%27%20aND%20BeNChMaRK%282999999%2CMd5%28NoW%28%29%29%29%20AnD%20%271

Any suggestions on how to lock this down?
Thanks!

...
Steve Healy, Phorum hacker, currently on: (version 5.2.19)
contributions:
Birthdays mod, Top Users mod, Icon legend.tpl, (plus a handful of bugfixes and old 5.0 creations)
Re: No addon hook enabled for module
January 31, 2019 07:52PM
The following is hoped to clarify what happens when addon.php is called and the module is disabled, or the hook 
does not exist.

Phorum is a script that is called by the web server based on the URL passed.
Phorum is essentially "Stateless", which means the web server has no idea what any particular client is going to
request until the URL is sent to the web server.

If the URL is valid (to the web server), and has a .php extension (explicitly or through defaults set up on the 
server) php is invoked (an instance of the executable program), and passed the arguments for running a particular
script.

In the case of addon.php
Simplified version of what occurs.

Example bad URL  xxx/ForuM/addon.php?0,module=recent_messages'A=0
    
    It is up to addon.php to validate the named arguments passed after the question mark that may invoke other 
    scripts (does not validate that the argument is valid to the script).
       
       First: Check if any enabled modules have hooks enabled. If no modules have hooks enabled, 
              trigger E_USER_ERROR.
       
       Second: Check that there is a module="some_name" passed as an argument, if the module argument is missing, 
               trigger E_USER_ERROR.

       Third: Make a list of available hooks (all modules). Filter the hooks to see if the hook is available 
              for the module passed by the argument, if 0 trigger E_USER_ERROR

       Fourth: Verify there is only one hook registered for this module, if more than 1 trigger E_USER_ERROR.      
    
       Lastly: If no errors were triggered, run the hook and module.
       

Notes...

E_USER_ERROR causes the script to send the user an error message, and after making phorum event log entry 
(if event logging enabled), KILL the php instance immediately.
    The error message to the user is sent in case the user typed the URL and made a typing mistake.
    The server log will indicate a fatal error because we KILLed the php instance, without a normal exit.

If the module name is not passed as an argument; in the Phorum event log:    Missing "module" argument.

If a hook is specified and is incorrect (spelling);  in the Phorum event log:     No addon hook enabled for 
module "recent_messages'A=0"

If a hook does not exist; in the Phorum event log:    No addon hook enabled for module "some_name"
If the module is not enabled; in the Phorum event log:    No addon hook enabled for module "recent_messages"


Bottom line: This is this is proper behavior, and your forum is protected.
Sorry, only registered users may post in this forum.

Click here to login