0

We have a script that pulls data from a secure site and puts it into a dropdown box for us to select, and from there it parses information into something readable. Recently that dropdown box no longer appears. The site admin of the host site said Google recently forced HTTPS, so I changed that in our code to reflect it pulling from a secure site now.

So basically the processes is as follows: User logs into our site Goes to Upload page, site prompts for the host site's user/pass Enter user/pass, screen comes up that is supposed to show dropdown after login has been authenticated. Note that I can follow the $url and login normally to it.

My question is, is there anything else I'd have to change when going from nonsecure to secure? I've included the relevant code (I believe).

       <?php 
require_once("/public_html/jumi_src/event_logs/admin_functions.php");
    if (isset($_POST["username"]) && !empty($_POST["password"]) && !isset($_POST["event_type"]))
    {
    $username = $_POST["username"];
    $password  = $_POST["password"];
      $url = "secure site here";
      $f1 = 'loginid'; // Name of field1(ON THE WEBSITE YOU'RE TRYING TO LOGIN ON!)
      $f2 = 'password'; // Name of field2(ON THE WEBSITE YOU'RE TRYING TO LOGIN ON!)
      $v1 = $username; // Value of field1(FROM THE WEBSITE YOU'RE TRYING TO LOGIN FROM!)
      $v2 = $password; // Value of field2(FROM THE WEBSITE YOU'RE TRYING TO LOGIN FROM!)
      //$find = 'Welcome to your account'; // String to search for in the page you've logged in on
      $postchars = http_build_query( array($f1 => $v1, $f2 => $v2) );

      $stream = stream_context_create( array('http' => array('method' => 'POST', 'header'  => 'Content-Type: application/x-www-form-urlencoded', 'content' =>  htmlspecialchars_decode( $postchars ) ) ) ); // Creates an array of the sourcecode, and inputs the values of the field1 and field2

      $fh = file_get_contents($url, false, $stream);  //for troubleshooting.
    //REALLY NEEDS A HANDLER FOR WHEN $FH DOESN"T COME BACK FOR SOME REASON.

    //printf("Login wasn't completed. No file was retreived. Please check your password at the htc CM login page to verify that it's good. If it is there is a systme issue. Please let Nefarious know.");

     //FOR TROUBLESHOOTING
    //  printf("<textarea rows='100' cols='100'>");
    //  printf($fh);
    //  printf("</textarea>");

    //getting the dropdown box returned from THC to select a scenario to upload
            $a = strpos($fh, "<SELECT NAME"); 
            $b = strpos($fh, "</SELECT>");     
            $c = strlen($fh) - $b;  
            $e = substr($fh, $a, -$c);
Rob Irvin
  • 11
  • 2
  • `" – ggdx Sep 17 '18 at 13:24
  • " changed that in our code to reflect it"...what did you change exactly? Just one observation...in the code above you still seem to be specifying `http` instead of `https`, unless I'm mistaken. – ADyson Sep 17 '18 at 13:25
  • 1
    @ADyson oddly enough specifying 'http' when you do a 'https' request is correct: http://php.net/manual/en/function.stream-context-create.php#74795 – Royal Wares Sep 17 '18 at 13:26
  • It was trying to pull from http:// and I updated it to pull from https:// - I read to not change the stream_content_create to https. Is this what I should do? – Rob Irvin Sep 17 '18 at 13:27
  • @AlexanderDeSousa Interesting, I didn't know that. Thanks. But still - Rob it would be useful to know what you changed in your code compared to the version which worked previously. And what exactly do you mean by "that dropdown box no longer appears."...do you mean you get a result from the webpage call but the HTML for the dropdown is missing from it? Or you're struggling to get any kind of output at all? – ADyson Sep 17 '18 at 13:27
  • @AlexanderDeSousa: There seems to be a way to do it using `ssl` also. Might be what the op needs so he can set the cafile etc: http://php.net/manual/en/function.stream-context-create.php#110158 – inquam Sep 17 '18 at 13:28
  • Possible duplicate of?: https://stackoverflow.com/questions/1975461/how-to-get-file-get-contents-to-work-with-https – Royal Wares Sep 17 '18 at 13:28
  • @ADyson the only thing I changed was making "secure site here" http:// to https://. Here is an image of what the site looks like after login: https://i.imgur.com/ACPv41W.png , Where it says "Which log to use" there is usually a dropdown where the info was pulled from the secure site that houses said logs. If that makes sense. – Rob Irvin Sep 17 '18 at 13:34
  • No not really. How is that picture related to what you're doing in your code? I assume your code downloads some HTML from the secure site? What is happening when you try to do that? Do you get some HTML back, or not? Is that picture what you get if you log in to this secure site manually instead of via your code? – ADyson Sep 17 '18 at 13:37
  • Have you looked in your logfiles etc to see if you get any kind of error during your request? It would probably help you pinpoint what the issue is. – inquam Sep 17 '18 at 13:45
  • @ADyson if I log in manually to the site it works fine. What it is supposed to do is pull this dropdown: https://i.imgur.com/pVkL5JN.png and display it on our site. From there it automatically parses the data but that's moot currently as the dropdown won't even come up. – Rob Irvin Sep 17 '18 at 13:57
  • " the dropdown won't even come up"...you mean when you log in manually or when you pull it using your code? What's the content of `$fh` when you execute your code via the new HTTPS URL? – ADyson Sep 17 '18 at 13:58
  • When I log into the host site directly, the dropdown appears as normal, but when logging into our site and trying to have the code pull it, nothing appears. I'm not very familiar with this kind of stuff, but how can I find what you are looking for, the content of $fh? – Rob Irvin Sep 17 '18 at 14:04
  • put `var_dump($fh);` after the file_get_contents() line. That's the standard way to dump the contents of a variable to the screen in PHP. Also make sure PHP errors and warnings are switched on (you can google how to do it) so any errors show up. – ADyson Sep 17 '18 at 15:01
  • @ADyson hmm that is enlightening. So adding the var_dump spit out just bool(false), and then I enabled error display and rec'd all sorts of good information: https://i.imgur.com/vIsBURb.png – Rob Irvin Sep 17 '18 at 15:09
  • ok so basically PHP cannot verify the remote server's SSL certificate – ADyson Sep 17 '18 at 15:10
  • @ADyson I've done a little research and here is some SSL info of the server. https://www.sslshopper.com/ssl-checker.html#hostname=https://bbs.hitechcreations.com/cms/cmlogs.php I'm curious if there's anything I can do on my end to help PHP resolve it correctly? – Rob Irvin Sep 17 '18 at 16:00

1 Answers1

0

Without knowing what potential error you are getting it's hard to know what is causing this. It could be an incorrect configuration on your end or an invalid certificate on the target for instance.

You could try to ignore an invalid certificate by using the context options

[
      "ssl"=>[
            "verify_peer"=>false,
            "verify_peer_name"=>false,
        ]
    ];

You can also set additional options to specify a cafile to use if needed etc.

http://php.net/manual/en/context.ssl.php

To check your configuration and figure out if something is turned off in your configuration a quick way is to run the code suggested in this answer.

https://stackoverflow.com/a/1975949/357448

inquam
  • 12,664
  • 15
  • 61
  • 101
  • 1
    Where would I put that code? Right in the PHP file? Unfortunately there is no error and I'm trying to find some log files to comb through to see if it produces anything useful. – Rob Irvin Sep 17 '18 at 13:58
  • Have you configured the PHP server to log errors? For running the code you could make a new small script on the server and just run it and check the output. – inquam Sep 17 '18 at 14:04
  • Here's a block of the PHP logs, they just repeat (was too long to post as text) https://i.imgur.com/neGBvld.png – Rob Irvin Sep 17 '18 at 14:27
  • I've also added in the ssl verify_peer code directly under the $url, but no different results. – Rob Irvin Sep 17 '18 at 14:37
  • It seems ignoring it won't help at all. I've turned on Joomla's PHP reporting and this is the setup I get: Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home4/ahevent2/public_html/components/com_jumi/views/application/view.html.php(77) : eval()'d code on line 21 Along with a failed to open stream message. I've also tried to specify the CA file but did not have any luck there either. Comodo is the SSL provider and it was in the Mozilla CA already... – Rob Irvin Sep 17 '18 at 17:45
  • The small patch of log show nothing of interest. The message `SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed` indicates that the issue is with verifying the SSL certificate. I'm unsure of which version of PHP etc you run, but have a look in this question for suggestions to try: https://stackoverflow.com/questions/26148701/file-get-contents-ssl-operation-failed-with-code-1-and-more – inquam Sep 18 '18 at 10:46
  • My cpanel is set to 5.6 as well. I did find that thread and tried a couple of the suggestions with no luck. Is there a good way to utilize the cacert.pem file? I've seen multiple different ways to insert it into the php.ini but none have worked, I'm afraid I might just be doing it wrong. I did run that script you posted yesterday and got the expected results (openssl yes, http yes, and https yes). – Rob Irvin Sep 18 '18 at 13:20