WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Errors while attempting to reset password (14 posts)

  1. Coatastic
    Member
    Posted 1 year ago #

    I received an email telling me that my site was under attack, when I next logged I was forced to re-set my password via email. After clicking on the link in the email and choosing a new password I get the following error when clicking on the reset password button:

    Warning: exec() has been disabled for security reasons in /home/ ... /plugins/login-security-solution/login-security-solution.php on line 1384
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 697
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 698
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 699
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 700
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 701
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 702
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 705
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 706
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 707
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 708
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 711
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 712
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 713
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 714
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 881

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Coatastic:

    You have safe_mode and display_errors on in your php.ini.

    First, basic security protocols dictate that display_errors should be off.

    Second, safe_mode is deprecated and has been removed in PHP 5.4, so should not be used.

    --Dan

  3. Dean Taylor
    Member
    Posted 1 year ago #

    I agree with Dan and his statements above.

    As a side note; Dan:

    Could you not code around these issues by changing the code in the following form, from this:

    protected function is_pw_dict_program($pw) {
    		if ($this->available_dict === false) {
    			return null;
    		}
    
    		$term = escapeshellarg($pw);
    		exec("dict -m -s exact $term 2>&1", $output, $result);
    		if (!$result) {
    			return true;
    		} elseif ($result == 127) {
    			$this->available_dict = false;
    			return null;
    		}
    		return false;
    	}

    To this:

    protected function is_pw_dict_program($pw) {
    		if ($this->available_dict === false) {
    			return null;
    		}
    
    		$term = escapeshellarg($pw);
    		// Initialise the result with an error value.
    		$result = 127;
    		// Suppress errors with "@"
    		@exec("dict -m -s exact $term 2>&1", $output, $result);
    		if (!$result) {
    			return true;
    		} elseif ($result == 127) {
    			$this->available_dict = false;
    			return null;
    		}
    		return false;
    	}

    Obviously this would need to be done in both is_pw_dictionary__grep and is_pw_dict_program.

    Cheers,
    Dean.

  4. Coatastic
    Member
    Posted 1 year ago #

    Thanks for your quick response. I'm not very well versed in php... Is this something that I would be able to fix easily? I'm not even sure where the php.ini is located.

  5. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Coatastic: Check your web host's documentation and/or customer service department. Use search engines for any remaining questions. --Dan

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    I just committed a change that will skip the exec() calls if safe_mode is on. It will be in the next release, 0.34.0, whenever that comes out.

    Dean: For future reference, pre-setting $result was unnecessary in my tests (PHP 5.2 on a Linux box).

  7. Dean Taylor
    Member
    Posted 1 year ago #

    Nice one Dan.

    FYI: I did a quick search on the topic, it seems not only safe mode can cause the issue.

    Hosting providers can choose to disable the exec function;

    I thought the following was a nice snippet for testing:
    http://stackoverflow.com/a/8094814

    Note I haven't reviewed your code changes they may well do this already.

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Dean:

    Great catch! Turns out the error Coatastic is seeing is from the disable_functions ini setting. I adjusted this plugin's code accordingly and pushed it to Github.

    Also, thanks for the inspiration to finally sign up for a Stack Overflow account. I took the function from here and copied it to a new answer on that thread (upvote! :)).

    Thanks,

    --Dan

  9. Dean Taylor
    Member
    Posted 1 year ago #

    Dan:

    Excellent work, up-voted :)

    Cheers,
    Dean.

  10. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    The new release, 0.34.0, is now out and has this fix in it. Coatastic, when you get a moment, I would appreciate it if you can rate the plugin and provide a "works" vote for the new release.

  11. elainehh
    Member
    Posted 1 year ago #

    I have exactly the same problem. As for the solution mentioned:

    "You have safe_mode and display_errors on in your php.ini. First, basic security protocols dictate that display_errors should be off. Second, safe_mode is deprecated and has been removed in PHP 5.4, so should not be used."

    I have no idea how to do this. I am using doteasy hosting. I have googled this to no avail. I have now been locked out of my website for over a week and have no idea how to get back into it :( I can get into it via FTP but cannot see a php.ini file anywhere.

    Any advice / direction much appreciated.

    Elaine.

  12. Coatastic
    Member
    Posted 1 year ago #

    If you can access your files via ftp or a cpanel just delete the folder for this plug in. wp-content / plugins.

  13. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Elainehh:

    1) If you are seeing the errors mentioned in this post, you're not using the latest version of the plugin. Please upgrade the plugin to version 0.34.0.

    2) The bug in question just makes a mess on your screen, it doesn't prevent you from logging in. Anyway, if you still can't get in, you can download the latest version of the plugin to your personal computer, unzip it, the upload those files to your web server via SFTP.

    3) Ask your ISP how to adjust your php.ini settings.

    --Dan

  14. elainehh
    Member
    Posted 1 year ago #

    Thank you. I deleted the plugin files via FTP, then logged in fine & now have the new version of the plugin set up.

    Thanks for stopping my website being hacked! :)
    Elaine.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic