Akeeba kickstart php script error

akeeba kickstart php script error

I saw the archive 5.5.0 directly from the site akeebabackup, the script doesn't work from the beginning indeed it shows me this error. Select a backup archive. Import from URL. Archive directory: Reload Archive file: Ignore most errors. (S)FTP host name: (S)FTP port. What I did: 1. Created new empty database. 2. Added user to this new database. 3. Uploaded.jpa file and kickstart.php (www.akeebabackup.com/software/akeeba-. akeeba kickstart php script error

Problem while restoring Joomla website on server using kickstart.php

It can be that your backup file is corrupted. I would suggest to try to restore the jpa archive in your local machine using Akeeba extract wizard, to get closer to a conclusion that the file can be restored or it is damaged. If it can not be restored locally, then there is a big chance that your archive is corrupted. Try to re-backup, but before you do so, akeeba kickstart php script error, also check what else directories apart of the joomla core ones are included in your backup, as it possible that you also include long logs files that might cause you issues restoring them, as you will read in the next lines.

Other possible issues why you can't restore it on your server are the time-outs, especially if your archive contains very big files (e.g. logs files as described above). You could try modifying the php.ini file and adjust the max_execution_time to higher value (e.g. > 120).

Another possibility could be that there are some permissions issues (??). What is the operating system of your server ?

Support

Akeeba Kickstart won't run at all or throws a Parse Error

First make sure that your hosting environment complies with akeeba kickstart php script error the minimum requirements for Kickstart. If your host is using an older version of PHP as the default (which might be different than the one reported in your hosting control panel) you need to contact your host to find out how to upgrade PHP on your server.

If the extraction process does not start, i.e. you click on the button and nothing happens, please go through the client-side troubleshooting steps before doing anything else. Most likely it's an issue with your PC configuration or ISP. We won't be able to help you if you don't go through these steps!

If nothing of the above works, you may want to try downloading the latest version of Kickstart, extract the ZIP file locally and re-upload kickstart.php to your site.

SQL error when trying to move Joomla site akeeba kickstart php script error new account

I have a website that I am attempting to move from a "traditional" hosting account with GoDaddy to a new "cpanel" hosting account. The reason for the move is that we would like to be able to sell MP3s from the site and in order to place these files in the home directory we need a cpanel account (according to GoDaddy).

We use Akeeba backup and admin tools religiously and have never had any problem with each of these programs.

I moved a copy of the site to a friend's testing environment (different host) using Akeeba kickstart and no problem. However, akeeba kickstart php script error moving the archive file and kickstart file to the new cpanel account on GoDaddy, I get a database restoration error (after making it through the pre-installation screen) and have reached out to support both GoDadddy and Akeeba (which is fantastic, but they are closed for the weekend).

So here are the steps I've taken to try and fix this and the results:

  1. Created the database, DB user, and associated them in cpanel on the new GoDaddy hosting account.
  2. Uploaded kickstart.php file and the akeeba backup archive (.jpa file).
  3. Initialized kickstart by going to the URL and made it through the pre-installation page

Next I get the following error:

An error occurred while restoring the database. The error message can be found below. Click on the × button at the top right of this dialog message to close it and return to the database restoration page.

SQL=SHOW FULL COLUMNS FROM

NOTE: Though always a SQL=SHOW FULL COLUMNS FROM error sometimes the table is different

Here are the additional things I've tried to date:

  1. Completely wiped out site and began the process again with kickstart file and archive file - result: still get error
  2. Wiped out site, changed php version from 5.4 to 5.3 and began process again with kickstart file and jack sensing error file - result still get error
  3. Created a new DB user in cpanel to make sure that user has full privileges on database, associated this user to the DB, and began process again with kickstart file and archive file: - result: still get error
  4. Searched web and Akeeba site for other possible fixes - result: was not able to discover anything else that would help

Akeeba had asked me to see if GoDaddy has a maximum query limit kernel stack error hour/minute. GoDaddy does; 1000. And according to GoDaddy they only way for me to change this is through a php.ini file but aside from that they are not able to help.

I have never created a php.ini file and have no idea what code needs to be added to that file to fix this issue. I have looked at resources online for PHP but as this is not my specialty I'm completely lost when trying to figure out which commands are needed in this ini file. And again, Akeeba is closed for the weekend so I'm hoping to get some help before then.

Thanks!

asked Oct 25, 2014 at 17:55

user avatar

In our latest paper we evaluated the new RIPS prototype regarding its ability to statically detect PHP object injection (POI) vulnerabilities and related gadget chains in PHP applications. Among others, the prototype reported a previously unknown POI vulnerability in Joomla 3.0.2. It turned out, that this vulnerability was still present in the (at that time) latest Joomla! 3.3.4 version. However, it appeared to be not exploitable because of some requirements and missing chains. Lately, I had a look at it again and found a way to exploit it in 5 steps. The last step still makes exploitation difficult and the severity can be rated as high.

1. Encryption Bypass

The vulnerability affects the Akeeba Kickstart package used in Joomla’s com_joomlaupdate component located in administrator/components/com_joomlaupdate/restore.php, akeeba kickstart php script error. This file is remotely accessible to any unprivileged (not logged-in) user and no authentication check is performed by Joomla!. It is used to install akeeba kickstart php script error Joomla! updates from a local ZIP file.
In the masterSetup() function, Akeeba Kickstart checks for an existing restoration.php file and includes it to initialize basic setup parameters. If the restoration.php file does not exist, the execution is aborted. We will come back to this condition later.

$setupFile = 'restoration.php'; if( !file_exists($setupFile) ) { // Uh oh. Somebody tried to pooh on our back yard. Lock the gates! Don't let the traitor inside! AKFactory::set('kickstart.enabled', false); return false; } // Load restoration.php. It creates a global variable named $restoration_setup require_once $setupFile;

Once the file is successfully included, a Joomla! update is performed based on the included setup parameters and externally provided parameters. To avoid tampering, the external parameters are encrypted with AES-128 in CTR mode. However, it is possible to completely bypass the encryption abusing PHP oddities. In Akeeba Kickstart, all parameters are fetched with the getQueryParam() function.

function getQueryParam( $key, $default = null ) { if(array_key_exists($key, $_REQUEST)) { $value = $_REQUEST[$key]; } elseif(array_key_exists($key, $_POST)) { $value = $_POST[$key]; } elseif(array_key_exists($key, $_GET)) { $value = $_GET[$key]; } else { return $default; } return $value; }

It returns parameters from the superglobal $_REQUEST, $_POST, or $_GET array, if existent. First, the external setup parameter json is fetched through getQueryParam(). Then, all entries in the $_REQUEST array are removed to delete all other parameters supplied by the user.

$json = getQueryParam('json', null); if(!empty($_REQUEST)) { foreach($_REQUEST as $key => $value) { unset($_REQUEST[$key]); } }

However, $_REQUEST holds only a copy (not a reference) of $_GET and $_POST entries. That means that all provided GET and POST parameters are still available in the corresponding array, even when unset in $_REQUEST. The next lines decrypt the json parameter and populate its json encoded data into the $_REQUEST array again.

// Decrypt a possibly encrypted JSON string if(!empty($json)) { $password = AKFactory::get('kickstart.security.password', null); if(!empty($password)) { $json = AKEncryptionAES::AESDecryptCtr($json, $password, 128); } // Get the raw data $raw = json_decode( $json, akeeba kickstart php script error, true ); // Pass all JSON data to the request array if(!empty($raw)) { foreach($raw as $key => $value) { $_REQUEST[$key] = $value; } } }

At this point, an attacker can leave the json parameter empty. The function getQueryParam() still returns parameters from $_GET and $_POST because only the $_REQUEST array was emptied. This way, no encryption key is required to provide further setup parameters that are fetched through getQueryParam().

2. PHP Object Injection

The POI vulnerability is straight-forward and appears in the next lines. The factory parameter is fetched through getQueryParam() and fed into the unserialize() method of AKFactory.

// A "factory" variable will override all other settings. $serialized = getQueryParam('factory', null); if( !is_null($serialized) ) { // Get the serialized factory AKFactory::unserialize($serialized); }

This method basically base64 decodes the parameter and instantiates the AKFactory class by unserializing the serialized object and storing it as instance.

Gadget Chains

Lets have a quick look at available gadgets. Akeeba Kickstart’s restore.php file works independently from the Joomla! code base. That means that no classes of Joomla! are loaded and no initial gadgets of Joomla! can be abused. However, it ships some own classes with defined magic methods.

These gadget chains do not impose a big security risk though and can at most be abused for SSRF or DoS. Considering the precondition of manually creating the restoration.php file, I felt this is not really exploitable, regardless of the encryption bypass.

3. Remote Code Execution

An important lesson I learned from this vulnerability is to not only have a look at the triggered gadget chains of a POI, but also to not forget to look at how the injected object affects the control flow after the injection, akeeba kickstart php script error. Until now, we have full control over the AKFactory instance with the PHP object injection that was triggered in the masterSetup() function.

masterSetup(); $retArray = array( 'status' => true, 'message' => null ); $enabled = AKFactory::get('kickstart.enabled', false); if($enabled) { $task = getQueryParam('task'); switch($task) { case 'ping': // ping task - realy does nothing! $timer = AKFactory::getTimer(); $timer->enforce_min_exec_time(); break; case 'startRestore': AKFactory::nuke(); // Reset the factory case 'stepRestore': $engine = AKFactory::getUnarchiver(); // Get the engine $observer = new RestorationObserver(); // Create a new observer $engine->attach($observer); // Attach the observer $engine->tick(); . $retArray['files'] = $observer->filesProcessed; $retArray['bytesIn'] = $observer->compressedTotal; $retArray['bytesOut'] = $observer->uncompressedTotal; $retArray['status'] = true; $retArray['done'] = false; $retArray['factory'] = AKFactory::serialize(); . break; } }

After the update is prepared by the masterSetup(), we can start an update by setting the task parameter to startRestore or trigger the next step of akeeba kickstart php script error update by setting it to stepRestore. This API is used by AJAX requests to constantly check for the update status by reading the content of the later printed $retArray.

Since the AKFactory is under akeeba kickstart php script error control, we can manipulate its settings and data, akeeba kickstart php script error. It holds an AKUnarchiver object that is responsibe to extract files from a given archive file (ZIP, JPS, or JPA format). The AKUnarchiver is fetched in line 5597 and its next step is invoked in line 5600. The different formats are parsed in different classes and I will not cover the details here. The important thing is, that all these unpacking classes extend the class AKAbstractUnarchiver and inherit the magic method __wakeup() already introduced in step 2.

If the PHP setting allow_url_fopen is enabled (which is the default) we can point to an external archive file that is then extracted to the destination directory of our choice. This way, an attacker can get remote code execution on the targeted web server, by extracting a PHP shell into akeeba kickstart php script error targeted Joomla installation from a ZIP archive on his web server. The injected AKFactory could look similar to the following PoC:

A remaining step is to find out the local document root path on the targeted web server where the PHP shell should be extracted to. While /var/www/ might be very common, different web server use different paths on different operating systems.

4. Path Disclosure

Due to the PHP object injection we can trigger fatal errors in the application to receive the document root path from an error message. However, this would require error reporting and displaying by PHP, which is often disabled in production environments.

The previously mentioned $retArray does not only contain the current status about the processed files added so far, but also the complete serialized AKFactory object (line 5607). It is printed json encoded to the HTML response page.

$json = json_encode($retArray); // Do I have to encrypt? $password = AKFactory::get('kickstart.security.password', null); if(!empty($password)) { $json = AKEncryptionAES::AESEncryptCtr($json, akeeba kickstart php script error, $password, 128); } // Return the message echo "###$json###";

The encryption can be bypassed again, if we use the PHP object injection to overwrite the kickstart.security.password setting in AKFactory with an empty password. One way to include the document root into the AKFactory is akeeba kickstart php script error set the kickstart.setup.destdir setting in our injected AKFactory object to an empty string. Then, the built-in function getcwd() will fill the destination directory with the current working directory of the script.

$destdir = self::get('kickstart.setup.destdir', null); if(empty($destdir)) { $destdir = function_exists('getcwd') ? getcwd() : dirname(__FILE__); }

This way, the full path of the script is added to the serialized AKFactory object in the HTML response and the document root can be obtained by the attacker. Also, if the restoration.php file is created naturally, it includes the destination directory of the update as setup parameter. It usually points to an installation directory within the document root.

5. Ping or CSRF (CVE 2014-7229)

One important last step remains for exploitation. The Akeeba Kickstart script will abort in the beginning if no restoration.php file exists. This file is created during an update, but is deleted again at the end of an update. This makes it difficult to exploit the issue, but not impossible.

An update lasts mp 140 error 4 3 seconds. That means an attacker can constantly ping the targeted installation for an existing administrator/components/com_joomlaupdate/restoration.php file during an update period. If the administrator performs the update, the restoration.php file will exist long enough to carry out the attack. Note, that this attack would generate quite some log entries.

For Joomla!, there is an alternative. The following URL will create a akeeba kickstart php script error restoration.php file persistently if opened by an administrator:

Joomla! will attempt to start an update but cannot finish it because of missing parameters. Because no CSRF token is in place, the link can be used against logged-in administrators in a CSRF attack (e.g., Joomla article comment). Once the CSRF attack succeeded, the attacker can exploit at any time.

Summary

Joomla! 3.3.4 and various Akeeba Backup products are affected by a vulnerability that leads to remote code execution on the targeted web server. However, the attack requires social engineering against an administrator or repeatedly sent requests to the web server until an update is performed.

Joomla! and Akeeba Backup have released patches. It it is advised to update your software immediately and if possible, this time maybe not through Akeeba Kickstart ;). You may also want to check your web server’s access.log. I would like to thank Michael Babker (JSST) and Nicholas Dionysopoulos (Akeeba) for a very fast respond and patch time!

Timeline

[24.09.2014] – Asking for direct contact at JSST and Akeeba Backup
[24.09.2014] – Advisory + PoC disclosure to both vendors
[24.09.2014] – Patch provided by Akeeba Backup for review
[29.09.2014] – CVE-2014-7228 and CVE-2014-7229 assigned
[30.09.2014] – Security updates for affected Akeeba products released
[30.09.2014] – Joomla! 3.3.5 released
[01.10.2014] – Joomla! 3.3.6 released

Like this:

LikeLoading.

Related

This entry was posted on Sunday, October 5th, 2014 at 10:22 pm and is filed under PHP, Vulns, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response, akeeba kickstart php script error. Pinging is currently not allowed.

Akeeba backup manager

If you need to review your backups, go to the Akeeba Backup by clicking on the COMPONENTS menu item near the top of the screen. Then click on Akeeba Backup. Here you can manage the backups that akeeba kickstart php script error been made with Akeeba. You can also create a backup from this point. You can use Akeeba Kickstart to restore a backup as per the instructions below.

Restoring a Joomla Backup using Akeeba Kickstart

Before you begin the restoration, make sure to review the following checklist. You should know these items BEFORE you restore your backup.

Caution: Be aware of the version of Joomla you are restoring; may require a specific version of PHP (for example: Joomla 1.5 requires PHP 5.2).
  • Are you restoring over top of an existing Joomla installation? The simplest restore using Akeeba is to replace the existing installation without changing any of the settings.
  • Do you know the database user and password? If you are moving the database to a new host, akeeba kickstart php script error, then you will need to makes sure the user name and password meet the host’s requirements.
  • Do you know akeeba kickstart php script error Admin password? The Super settings require that you enter the password
  • Directory location (only if the restore is occurring in a differen directory)
  • Did you download Kickstart from Akeeba?
  • If you are working in different language, you will need the language file included with the Kickstart files.
  1. Obtain your backup file from Akeeba and make sure that it’s at the root of the directory where you are going to restore it. If you’re restoring over top of another installation, then the compressed file should be in root directory of the Joomla installation.
  2. Copy your KICKSTART.PHP file into the directory where you are restoring the backup. If you’re working in a different language, make sure to also copy the corresponding language file(s).
  3. Akeeba Kickstart notes

    Run the URL based on the Kickstart file and location. For example: https://domain_name.com/joomla-backup-folder/kickstart.php. You will see a warning screen labeled “Things you should know about Akeeba Kickstart.” Make sure that youre backup is in the same folder as the kickstart file. Please make sure to read through the warnings.

  4. Click on ESC or the link to close the message.
  5. ANGIE-Akeeba Next Generation Installer EngineYou should see the ANGIE(Akeeba Next Generation Installer Engine) Pre-installation check running before you start the restoration. Once you review all of the settings here, click on the blue button that labeled NEXT.
  6. Database restoration settings

    The next step is the DATABASE RESTORATION phase. You will see all of the setting for the database that you can change here. Make sure these setting match with your current restore. If you’re restoring an Akeeba database from a different host, then you need to double-check the name conventions used by the host for their databases. You might need to change them. For example, InMotion Hosting uses database names that start with the account user name: username5_databasename or username5_dbusername.

  7. Once you have reviewed your DB settings, click on NEXT in order to proceed, akeeba kickstart php script error.
  8. Database Restore successful

    When the database restoration is complete, you will see a confirmation of this. Click on the green button labeled NEXT STEP.

  9. Site Settings

    The next phase of the restoration is called SITE SETTINGS. Again, as in the database section, you need to make sure that your user name, akeeba kickstart php script error, password and other site settings are setup the way you want them. This section is where you would change the directory settings if they are different from the previous installation when you did the backup. Click on the blue NEXT button to continue.

  10. Restoration warnings

    You will then get a completion screen with a warning reminding you of the possible differences if akeeba kickstart php script error moving a restoration between servers. Click on the remove installation folder.

  11. Akeeba Restoration and Clean Up

    You will then see a screen labeled “6- Restoration and Clean Up.” Click on the green button.

  12. Links to front end and backend

    Your restore is now complete! The last screen allows you to view the front end and backend of the site in order to see if it’s working. It also provides you a link in case something has gone wrong with the restoration.

That completes the restoration steps for Akeeba’s Kickstart application. Remember to make use of their documentation and videos if you have any questions regardsing the settings or operation of the Kickstart program. For information on the creating a backup with Akeeba, go to Joomla Backups Education Channel.

Arnel CustodioContent Writer I

As a writer for InMotion Hosting, Arnel has always aimed to share helpful information and provide knowledge that will help solve problems and aid in achieving goals. He's also been active with WordPress local community groups and events since 2004.

More Articles by Arnel

The Joomla! Forum™

internal error 2203 windows 7 alt="">[Solved} Akeeba KickStart Help Needed Desperately!

Postby HFTobeason » Wed Jul 11, 2018 11:20 pm

I've successfully:

• backed up, downloaded, and uploaded my site from my old server to my new server using Akeeba Backup.

• installed kickstart.php, run it, and confirmed a good FTP connection and a writable kicktemp directory.

However, when running KickStart, it will inevitably throw the dreaded:
  • AJAX Loading Error
    HTTP Status: 500 (Internal Server Error)
    Internal status: error
    XHR ReadyState: 4
    Raw server response:
    Internal Server Error
Most of the site has, akeeba kickstart php script error, curiously, been unpacked. And every time I re-run KickStart, it seems to get a little bit further before throwing the error.

Any ideas/suggestions would be very much appreciated.

Thanks.

KickStart Core 5.4.2
Joomla 1.5.26
PHP 5.6
Last edited by imanickam on Fri Jul 13, 2018 3:11 pm, edited 2 times in total.
Reason:Marked the topic as Solved

1 Comments

  1. I am sorry, that I interfere, but, in my opinion, there is other way of the decision of a question.

Leave a Comment