Gonna bring this back again...lol. Just talking out loud and asking more questions trying to maybe trigger what is causing this...Things were fine for several weeks but lately it's been happening again...
I DO appreciate any input...
The latest 2 errors are coming from functions-basic.php line 882:
$output_string = kses($input_string, $allowed_tags);
Then the other reference is template-functions.php line 4517:
$short2 = kses($short.'', $allowed_tags);
I'm seeing both are associated with kses and allowed_tags. However, my site doesn't allow users to add tags and I only have a few tags assigned.
It also seems to always be associated with colorbox as the referrer.
I know we have yet to be able replicate this error, but I'm just trying to brain storm ideas and figure out what's exactly happening with the code in question.
Thanks for your patience.
Mike
Allowed tags doesn't mean "tags". Actually it is the wrong word because it refers to the html elements allowed in fields like comments or other fields that don't use the TinyMCE editor (sometimes html elements are called "tags" as well).
What are the actual errors you got?
First, I suspect that there is some confusion of terms here. Tags is unfortuately used in two different contexts here. The first, in "allowed_tags" refers to HTML markup tags. "Tags assigned" presumably refers to image and album tags which are used for searches, etc.
Zenphoto will always parse user input for potential hacker ploys. On of the things it does is purge any HTML tags that are not on the "approved" list. That is what the kses function is doing.
It could well be that some hacker is exploiting your site and passing strings that are somehow causing the kses function to crash. What else besides colorbox is in the referer chain? Maybe that is a clue.
Ok good - I had a feeling it was something to do with comments. I changed spam filters a little while back so I'm not getting ANY spam comments coming though and this error has seemed to be happening less frequently since changing spam filters - but I guess they are still trying to spam and for whatever reason maybe it's triggering this error? idk. I suppose I could disable comments all together but only as a last resort.
Full error:
[Mon Sep 24 11:54:20 2012] [error] [client xx.xxx.xxx.xxx] ALERT - canary mismatch on efree() - heap overflow detected (attacker 'xx.xxx.xxx.xxx', file '......../zp-core/functions-basic.php', line 882), referer: http://www.mikemartinelli.com/colorbox.css
Attacker IP address could be anyone visiting the site at that time - not necessarily an attacker.
Sometimes the referrer is colorbox, sometimes it's index.php and sometimes it's an external site I've posted on which links back to my site...sometimes there is NO referrer at all.
Thanks again
I don't know how to get a stack trace but I will try to figure it out.
Another thing I just noticed...When the referrer is an external link I've been noticing a lot of times it's from a message board thread with images linked from my site that have been moved or no longer exist...from YEARS before I started using ZenPhoto. Not sure if that matters but I'm throwing it out there in case it jogs someones memory.
Thanks
Do you know if there is a wildcard for 404 htaccess? For example:
404 All images that used to be
http://www.mikemartinelli.com/testweb/newfolder/*
Something like that?
Well same exact error happened to a clients site now! Ughhh!
Same error but no referrer like I get with my site...
His site has been perfectly fine for YEARS w/o issue. I recently (less than 2 months ago) upgraded from an older version to 1.4.3.2.
I had thought my issues might have been related to comments...BUT I have comments completely disabled on his site so I'm now even more baffled!
http://www.davidsonscollisioncenter.com
Not sure if this will help track down the issue but it's something new so I figured I'd post about it.
Thanks,
Mike
As previously discussed, this error is occurring when Zenphoto sanitizes any web-client input, so does not necessarily have anything to do with comments.
It is (depending on who you ask) a bug in PHP or in the suhosin patch to PHP. The problem is fairly well discussed, just do a search on canary mismatch and you will see. Certainly this is out of the realm of what Zenphoto can correct.
It probably happens when hackers attempt to compromise you site, but of course that is speculation.
Would not even have to be a form--maybe just a forged link with a ?album=[i]some strange string[/i] Or they could be trying to forge a post on your admin pages.
Lots of opportunities to try to hack you, but we hope all are prevented--the error is related to one of the prevention screens.
Problem is that you also apparently have the suhosin patch. I do not know exactlly what that patch is supposed to do other than be a security thing, but it has come up more than once in the past as causing particular issues to Zenphoto.
Yes, it does seem that there is finger pointing going on with this problem. The PHP folks think it is a problem with the patch, the suhosin ones think it is a bug in PHP. Who knows.
I doubt re-installing PHP would help unless maybe a more recent version (if you are not there already.)