HMWG (Free ver) possible bug

Gyztor
(@gyztor)

1 year, 8 months ago
I have been having an odd issue lately that seems to only affect the places changed by HMWG specially the wp-admin area. Normally everything works fine and but certain pages like admin/post.php?post=38&action=edit (which is basically the admin path but changed with HMWG active to change the admin directory) would show only a “Sorry, you are not allowed to edit posts in this post type.” this happens only in other specific areas but usually are all within wp-admin/* that seem to need some hidden permission(?) that I can’t see. after doing some digging into my docker logs and changing a LOT of nginx configs I have narrowed it down using the only error that appears (and only with HMWG active) when using the rewritten urls
[error] 23#23: *1225 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream
when going to this place in the file it seems to be this;
```
// On which page are we?
if ( is_admin() ) {
        // wp-admin pages are checked more carefully.
        if ( is_network_admin() ) {
                preg_match( '#/wp-admin/network/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        } elseif ( is_user_admin() ) {
                preg_match( '#/wp-admin/user/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        } else {
                preg_match( '#/wp-admin/?(.*?)$#i', $_SERVER['PHP_SELF'], $self_matches );
        }
        $pagenow = $self_matches[1];
        $pagenow = trim( $pagenow, '/' );
        $pagenow = preg_replace( '#\?.*?$#', '', $pagenow );
        if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
                $pagenow = 'index.php';
        } else {
                preg_match( '#(.*?)(/|$)#', $pagenow, $self_matches );
                $pagenow = strtolower( $self_matches[1] );
                if ( '.php' !== substr( $pagenow, -4, 4 ) ) {
                        $pagenow .= '.php'; // For <code>Options +Multiviews</code>: /wp-admin/themes/index.php (themes.php is queried).
                }
        }
} else {
        if ( preg_match( '#([^/]+\.php)([?/].*?)?$#i', $_SERVER['PHP_SELF'], $self_matches ) ) {
                $pagenow = strtolower( $self_matches[1] );
        } else {
                $pagenow = 'index.php';
        }
}
```
and its breaking at the $pagenow = $self_matches[1]; part.
This is honestly all I could find after 20 hours of searching
I have made sure all my file permissions are correct. Nginx is correct and doesn’t not block anything it seems to just be when this plugin with the wordpress panel. I hope we could find a fix for this as i love this plugin and constantly typing in “wp-admin” over my rewritten address is getting a bit annoying :/
note: yes i tried downgrading. did not work.
- This topic was modified 1 year, 8 months ago by Gyztor. Reason: fixing some info

Viewing 15 replies - 1 through 15 (of 25 total)

1 2 →

Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago

Hi Gyztor,

Thank you for your detailed feedback.

We haven’t received similar issue with the plugin before but you can try these solutions:

1. Temporary install this plugin https://wordpress.org/plugins/user-role-editor/
For your user role, make sure you have the option to edit/update all posts/pages (while using the custom admin path). Seems that something removes the edit_posts capability on custom admin path.

2. See if you get this error when you have only Hide My WP Ghost plugin installed. You can temporary deactivate all non-Hide My WP plugins on another window and refresh the editor page until you don’t receive the error message anymore.

Let me know what you find.

Best John
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago
I have attempted to do both but it still seems to come up with this error and seems to only happen when the rewrite on the wordpress admin panel is active (as when testing without does allow me to edit pages and anything else restricted. even changing the path in the web bar to the default wp-admin while its still active even lets it work oddly) i have also tried this on both php7.4 and php8.0.

EDIT: Just found it actually happens with the “Health Check & Troubleshooting” plugin too. path: admin/tools.php?page=health-check&tab=tools
I also found somewhere that explained what was happening but gave no good fixes that I have tried. It said that wordpress is not recognizing you as an admin when this happens and i was wondering if it had to do with the path being changed or not.

EDIT 2: tried turning on the XSS protection in the HMWG plugin grasping at straws to see if I missed anything and it still keeps the same error.
- This reply was modified 1 year, 8 months ago by Gyztor.
- This reply was modified 1 year, 8 months ago by Gyztor.
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago
So i did some testing with switching settings and so far haven’t gotten it to work just yet. still not sure why but I think somehow the rewritten path may have some stuff that doesn’t like wordpress 5.9.2? let me look through the change logs and see if they did anything that could have changed or messed with permissions (i will do this for the docker containers for wordpress too as i used those before i switched to just a normal php container)

EDIT 1: nothing really stood out other than I saw it had security updates for 5.9.2 and that these packages were updated
```
@wordpress/edit-post@3.26.15
@wordpress/edit-site@1.16.15
@wordpress/edit-widgets@1.2.15
@wordpress/editor@9.25.14
```
doubt it would do this though as others have not had this issue before.
- This reply was modified 1 year, 8 months ago by Gyztor. Reason: update1
Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago

Thank again for the details.

What if you set an admin path like custompanel. If it doesn’t have admin in the name.

After the change, login using a different browser or from incognito to make sure there aren’t remained cookies that affect the login session.

If you have a WordPress dedicated hosting plan, ask the host if there are any restrictions regarding the wp-admin path set on their server for security reasons.

John
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago
I have tested changing the path to backend-panel and it did not change the result. i also custom host everything in docker container and ensured there is no restrictions with nginx and php (and proof of this is that it even shows the “Sorry, you are not allowed to edit posts in this post type.” as this is something with wordpress somehow. its possible its php but i am doubtful as there is nothing there that would block it with my configs)
i should also mention this happens on two of my similarly configured sites (on the nginx and php part but the wordpress is different for both as they were made at two very different times.
- This reply was modified 1 year, 8 months ago by Gyztor.
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago

I should mention i have two sites that are also having this issue too. though they are similarly configured its doubtful that both of them would run into the same issue and such a way

Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago

Hi Gyztor,

It’s very hard to tell the exact source of the error message without an error log.
Please contact us on contact@hidemywpghost.com to continue the support as we may need more details about the server configuration.

Thank you,
John
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago
there seriously is no error other than this:
```
php             | NOTICE: PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32
php             | NOTICE: PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32
php             | NOTICE: PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32
php             | - -  17/Mar/2022:16:53:59 +0000 "GET " 302
webserver       | 2022/03/17 16:53:59 [error] 25#25: *741 FastCGI sent in stderr: "PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream, client: ***, server: website.com, request: "GET /backend-panel/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-socket.sock:", host: "website.com", referrer: "https://website.com/"
webserver       | *** - - [17/Mar/2022:16:53:59 +0000] "GET /backend-panel/ HTTP/2.0" 302 0 "https://website.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
php             | - -  17/Mar/2022:16:53:59 +0000 "GET " 200
webserver       | 2022/03/17 16:54:00 [error] 24#24: *790 FastCGI sent in stderr: "PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream, client: ***, server: website.com, request: "GET /ajax?action=buddyboss_theme_get_header_notifications HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-socket.sock:", host: "website.com", referrer: "https://website.com/"
php             | - -  17/Mar/2022:16:53:59 +0000 "GET " 200
webserver       | *** - - [17/Mar/2022:16:54:00 +0000] "GET /ajax?action=buddyboss_theme_get_header_notifications HTTP/2.0" 200 188 "https://website.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
webserver       | 2022/03/17 16:54:00 [error] 25#25: *745 FastCGI sent in stderr: "PHP message: PHP Warning:  Undefined array key 1 in /var/www/html/wp-includes/vars.php on line 32" while reading response header from upstream, client: ***, server: website.com, request: "GET /ajax?action=buddyboss_theme_get_header_unread_messages HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-socket.sock:", host: "website.com", referrer: "https://website.com/"
webserver       | *** - - [17/Mar/2022:16:54:00 +0000] "GET /ajax?action=buddyboss_theme_get_header_unread_messages HTTP/2.0" 200 153 "https://website.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
php             | - -  17/Mar/2022:16:54:00 +0000 "GET " 200
webserver       | *** - - [17/Mar/2022:16:54:01 +0000] "GET / HTTP/2.0" 200 57831 "https://website.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"
```
key:
*** = an ip address

i have seriously been looking for errors for 5 days and cant find any that lead anywhere but useless (due to the fact it has been patched) or already tried advice. i wish i knew more information but i honestly dont nor cant find any (as i use docker all error/access logs are put here.) but all it tells me is that something is wrong with wp-includes/vars.php and specifically the part where it tries to see if your admin or not. (the if ( is_admin() ) {) everything else works but the admin panels. The only thing at this point is it either cloudflare or is it wordpress and i would say from the fact that the requests are getting to my server its not cloudflare. so than its wordpress and the only time this error appears is when the paths are changed by the plugin.
nginx config (with anything hidden or changed to still represent and do the same thing without giving my setup away):
website1.com.conf:
KEY:
*** = unrelated and working file path
```
server {
    listen                  0.0.0.0:443 ssl http2 reuseport;
    server_name             website.com www.website.com;
    set                     $base /var/www/html;
    root                    /var/www/html

    # SSL
    ssl_certificate         /etc/letsencrypt/live/website.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/website.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/website.com/chain.pem;

    proxy_busy_buffers_size   512k;
    proxy_buffers   4 512k;
    proxy_buffer_size   256k;
    fastcgi_buffers 16 256k;
    fastcgi_buffer_size 256k;

    # security
    include                 nginxconfig.io/security.conf; # possibly affects but highly doubt it

    # index.php
    index                   index.php;

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    include /var/www/html/hidemywpghost.conf;

    # additional config
    include nginxconfig.io/general.conf; # does not block anything relating to this
    include nginxconfig.io/wordpress.conf; # does not block anything relating to this

    location ~* /wp-content/***/***/ {
        if ( $upstream_http_x_accel_redirect = "" ) {
            return 403;
        }
        internal;
    }
    location ~* /wp-content/***/***/ {
        if ( $upstream_http_x_accel_redirect = "" ) {
                return 403;
        }
        internal;
    }
    location ~* /wp-content/***/***/ {
        if ( $upstream_http_x_accel_redirect = "" ) {
                return 403;
        }
        internal;
    }
    location ~* /wp-content/***/***/ {
        autoindex off;
    }
    location ~* /wp-content/***/***/ {
        autoindex off;
    }
    location ~* /wp-content/***/***/ {
        autoindex off;
    }

    # handle .php
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-socket.sock;
        fastcgi_index index.php;
        fastcgi_param PHP_VALUE "upload_max_filesize = 5120M \n post_max_size=5124M"; # only temporary and most people cant utilize anyways since it was just to ensure no bottle necks is not there in current config anymore.
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; #is like this because it was being broken with finding the core filepath
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_intercept_errors on;
    }
    include     nginxconfig.io/letsencrypt.conf;
}
```
website2:
very similar to the one above

security.conf:
will probrably be changed soon but prob after this is fixed
```
add_header X-Frame-Options           "SAMEORIGIN" always;
add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "no-referrer-when-downgrade" always;
add_header Permissions-Policy        "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}
```
NOTE: i am not worried with sharing this configs as they are docker containers with different paths but work perfectly normally as if they were the orginal (and yes i even did try changing the paths back to just /var/www/html and this bug still exists)
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago

both of my sites also behave a bit different on how these break too but give the same error and issues
Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago
Hi,

Try to add the include line from Hide My WP Ghost before WordPress rules:
```
include /var/www/html/hidemywpghost.conf;

# index.php fallback
location / {
   try_files $uri $uri/ /index.php?$query_string;
}
```
I think this is the error source as the paths should re rewrite before the WordPress call.

John
Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago

Moved it and one of the sites seems to be doing a bit better but the restrictions still persist and the var.php error persists too, and i’m sorry if i seem frustrated at times, i don’t mean to direct at you its just been around 5 days of searching with not fruition so far so i have been feeling a little bit frustrated with it not working like it used to for some reason

Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago

We’ve done some tests based on your Nginx configuration and added some changes to the plugin.

Try the version 5.0.13 where we added some updates:

https://downloads.wordpress.org/plugin/hide-my-wp.5.0.13.zip

You can download it and replace the current version from Plugins > Add New > Upload.

Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago

Good news, one of my sites have started expressing different behavior and not just outright kicking me to the front page every time i don’t have permission which means something good was done but it didnt resolve the permission denied. bad news is the error still persists.

Thread Starter Gyztor
(@gyztor)

1 year, 8 months ago

I should mention I have been doing these tests on both php 7.4 and 8.0 and have had no changes between them either

Plugin Author John Darrel
(@johndarrel)

1 year, 8 months ago

Good.

Did you do the test using the last version 5.0.13?

Restart Nginx and clear all server/plugins cache after you do the upgrade.

Viewing 15 replies - 1 through 15 (of 25 total)

1 2 →

The topic ‘HMWG (Free ver) possible bug’ is closed to new replies.

HMWG (Free ver) possible bug

Topic Tags

Views