WordPress.org

1. Ov3rfly
   Member
   Posted 1 year ago #
   

   ThreeWP Activity Monitor Version 2.3

   Bug 1: WordPress tried to log in ..

   Some people saw already the activity WordPress tried to log in .. in their log, with an empty ?user_id= in the url.

   This happens if a non-existing username is entered at login.

   ThreeWP Activity Monitor does not check if the username is valid or not. It always uses property ID of $user_data object (even if object does not exist) or assumes $current_user would always exist.

   Lines 566, 578:
   

   $user_data = get_userdatabylogin( $username );
   ...
   $this->sql_stats_increment( $user_data->ID, 'login_failure' );

   Lines 997, 1001, 1021, ...
   

   global $current_user;
   ...
   $user_id = $current_user->ID;				// Convenience
   ...
   $replacements[ '%user_login%' ] = $current_user->user_login;

   The code should be enhanced with error-checking to detect invalid usernames...

   Bug 2: Undefined index: REMOTE_HOST

   The variable $_SERVER['REMOTE_HOST'] is used without error-checking. Many servers do not support this variable, see also notes at php.net: Note: Your web server must be configured to create this variable. For example in Apache you'll need HostnameLookups On inside httpd.conf for it to exist.

   Line 1017:
   

   '%server_http_remote_host%' => $_SERVER['REMOTE_HOST'],

   Suggested fix:
   

   '%server_http_remote_host%' => (isset($_SERVER['REMOTE_HOST'])) ? $_SERVER['REMOTE_HOST'] : @gethostbyaddr($_SERVER['REMOTE_ADDR']),

   Same problem occurs in lines 1365, etc.

   http://wordpress.org/extend/plugins/threewp-activity-monitor/

2. edward mindreantre
   Member
   Posted 1 year ago #
   

   Fixed in next version (2.5)

3. tworonin
   Member
   Posted 1 year ago #
   

   Hi.

   I have version 2.5 and am still seeing the "WordPress tried to log in..." messages. Was that changed or is the "Fixed in next version (2.5)" post only referring to the 2nd bug?

   Thanks.

4. artenbe
   Member
   Posted 1 year ago #
   

   I also have version 2.5 and i still get the wordpress tried to login..

   Also, it's not possible for me to not show the passwords except for changing the code which I found somewhere on the web..

   Maximum length of passwords to show when logging failed logins. Set to 0 to disable logging of failed passwords.

   mine is set to 0 and I can still see all passwords...

5. Guy Scharf
   Member
   Posted 1 year ago #
   

   Running 2.5 here and seeing "WordPress tried to login..." when an invalid user id is used.

   I would really like to see the invalid user id.

   Thanks!

6. edward mindreantre
   Member
   Posted 1 year ago #
   

   Fixed in next version.

Topic Closed

This topic has been closed to new replies.