ECE (Emergency Configuration Editor)

[Dion]

The Emergency Configuration Editor (ECE) allows admins to securely access and modify selected phpBB configuration settings to fix broken logins due to incorrect ACP settings. ECE automatically fixes most broken cookie settings, and it automatically disables three obsolete security settings that should never be enabled on a production phpBB board:

The "Check IP against DNS Blackhole List" security option is broken, and the "Validate X_FORWARDED_FOR header" and "Tie forms to guest sessions" security options have high false positive rates (sometimes as much as 50%). These were good options in 2009. It's 2025.

ECE requires an installed (deactivated is OK) Prosilver theme for its login page, which should not be an issue since Prosilver has been uninstallable since phpBB 3.2.8. And for that reason, ECE requires phpBB 3.3, or 3.2.8 - 3.2.11.

To install ECE, un-zip the attached archive and place the ece.php file in your phpBB root directory. To run ECE, point your browser to the ece.php file. If you are currently logged out of phpBB, you will see a login page using the Prosilver theme. Enter your credentials to log in, and if you have the required permissions, you will see the ECE main page,

If you log in to ECE, click the ACP button, and do not see the ACP re-authentication page, it means that one or more of the phpBB settings displayed in ECE is incorrect. You should log back in to ECE, remove checkmarks on all phpBB settings that have a checkmark, save the new settings, and then click the ACP button. If you can now see the ACP re-authentication page, then log into the ACP and experiment to see which formerly-checkmarked setting was causing the problem. (Best guess is the "Session IP validation" and/or "Validate Referrer" security settings because their false positive rates are also high.)

If you are unable to log in to ECE, then you may have browser issues, or perhaps your webserver (Apache/nginx/litespeed/etc) is blocking your access. If you rule out browser issues, then you should contact your hosting company.

Otherwise, please feel free to ask questions about ECE, and I'll do my best to answer them. There are also a few "outside-the-box" tricks in the code that might be of interest to extension developers.

EDIT 03/07/25: ECE has been updated to correct a potential bug in the determination of the default cookie and server domain, and to add support for the "Use SMTP server for email" setting.

ece.zip

(6.78 KiB) Not downloaded yet

(22 previous downloads)

[Kailey]

I've been meaning to reply to this. Would you mind uploading it to GitHub? If not, I can do it.

[Dion]

Please feel free to upload ECE to the phpBB Modders Github account. Note that I won't be responding to any issues or pull requests that may be posted there; all support I may provide for ECE will be in this topic.

[Stoker]

Is it on purpose that ece deletes the Cookie domain?
Its blank after running it

[Dion]

Is it on purpose that ece deletes the Cookie domain?
Its blank after running it

(Moved your post to the ECE topic)

That depends on what the original and new values for the cookie domain were. If the original was blank (which phpBB supports), it will remain blank unless you change it in ECE. If the cookie domain was originally invalid, or if you changed the value to something invalid, ECE will change it to the value of $_SERVER['SERVER_NAME'].

If a webserver (Apache/nginx.litespeed/etc) was incorrectly configured and generated a blank value for $_SERVER['SERVER_NAME'], then ECE would set an invalid cookie domain to blank. That's the only way I can see how ECE woiuld set a blank value for cookie domain.

However, if your original or modified cookie domain was valid and ECE changed it, please let me know (here or via PM) that value, and I'll check whether your cookie domain is triggering some sort of bug in ECE.

[Stoker]

i testet it twice.
The cookie domain was domain.com
Secure Cookie enabled

After hitting Submit button, cookie domain was gone.

Im pretty sure its a bug. The domain has worked well with that cookie domain for years.

The screenshots are from a sub domain, but it is also testet on a normal domain.

1.png

2.png

I couldnt attach files in PM, so if you just delete the screenshots when You have seen them

[Dion]

Attachments deleted.

I'd like for you to check your phpinfo() page for the value of $_SERVER['SERVER_NAME'] -- is it your domain name, is it something else, or is it blank? If it's anything other than your domain name, then your webserver is misconfigured and it's causing issues with ECE. If it's your domain name, then please locate the following line in ece.php (about line 161):

Code: Select all

$domain = $request->server('server_name');

Change it to this:

Code: Select all

$domain = strtolower(html_entity_decode($request->header('Host', $request->server('SERVER_NAME')), ENT_COMPAT));

If that resolves the issue, then I'll update ece.php with this line and re-upload the archive here.

[Stoker]

Its is the domain name.

The find was line 155 and the fix you posted is working.
Cookie domain is no longer deleted.

[Dion]

Thanks for the report! The first post contains an updated ECE with this fix, and the update also adds a new option for the "Use SMTP server for email" setting.