Support » Plugin: WP Mail SMTP by WPForms » PHP Warning – open_basedir security issue

  • Resolved ramseyb

    (@ramseyb)



    Hi,

    WP Mail SMTP is throwing the following PHP Warning. There appears to be an issue with your code. The only way to get this error to go away is to set open_basedir to none (disable) or install a different SMTP plugin, which does not cause this error. WP Mail SMTP does send without issue even with the PHP Warning

    IIS 10/ Windows Server 2016 / WP 4.9.1 / PHP 7.1.13 / WP Mail SMTP 1.2.2

    PHP Warning: is_readable(): open_basedir restriction in effect. File(C:\Inetpub\vhosts\domain.com\staging.domain.com/wp-content/plugins/C:\Inetpub\vhosts\domain.com\staging.domain.com\wp-content\plugins\wp-mail-smtp/languages/wp-mail-smtp-en_US.mo) is not within the allowed path(s): (C:/Inetpub/vhosts/domain.com\;C:\Windows\Temp\) in C:\Inetpub\vhosts\domain.com\staging.domain.com\wp-includes\l10n.php on line 584

    Good luck, unfortunately I can’t use WP Mail SMTP or recommend it to my clients as it’s a security issue to set open_basedir to none (disable).

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    Hi @ramseyb

    It’s due to the use of the PHP default function is_readable() that checks that file exists AND is readable before attempting to read it. file_exists() usage may fix this issue, but it doesn’t guarantee that the file is readable.

    For your particular setup, it means that you have incorrect values in open_basedir value.

    I do not say disable it, I say – provide there correct values.

    Also, I see that the error is actually in WordPress itself, and not in a plugin. Check this:

    in C:\Inetpub\vhosts\domain.com\staging.domain.com\wp-includes\l10n.php on line 584

    So it’s definitely an issue in a server configuration, and not in a plugin itself.

    Also, your custom translation file (wp-mail-smtp-en_US.mo) is better to place in /wp-content/languages/plugins/, so next WP Mail SMTP plugin update won’t remove your files.

    ramseyb

    (@ramseyb)

    Thanks for the reply Slava,

    I’ve tested WP Mail SMTP on a couple of other websites and it throws the same PHP warnings the minute it’s enabled. This does not happen with any other plugs or an alternative SMTP plugin.

    The issue maybe correlated to the Plesk Onyx WordPress Tool Kit as each website was install with this tool. The issue seems to be a restriction on .mo file extension.

    Path…\wp-includes\l10n.php on line 584

    Code on Line 584
    if ( !is_readable( $mofile ) ) return false;

    ===

    Additionally, wp-mail-smtp-en_US.mo does not exist at the given path or when I download WP Mail SMTP package directly from https://wordpress.org/plugins/wp-mail-smtp/

    Path …\wp-content\plugins\wp-mail-smtp/languages/wp-mail-smtp-en_US.mo

    ===

    Hopefully, your able to get this resolved, the plugin works great other then this issue.

    • This reply was modified 10 months ago by  ramseyb.
    Plugin Author Slava Abakumov

    (@slaffik)

    There is nothing to fix in a plugin. The issue is with server configuration. The error appears NOT in a plugin file but in \wp-includes\l10n.php with the use of is_readable() function. You better fix the rules for open_basedir config in php.ini.

    This does not happen with any other plugs or an alternative SMTP plugin.

    That’s just because they are perhaps loading manually the translation files, while we are using WordPress built-in autoloading techniques for translations.

    You can also remove en_US locale from your wp-config.php file (or admin area). WordPress itself is already using US version of English, so no real value in settings site language to this locale.

    ramseyb

    (@ramseyb)

    Thanks for the reply, I’ll have Plesk look into the issue as you’re telling me this is a server wide miss configuration.

    Hi Slava,

    Below is the reply from Plesk, which path would I add to the open_basedir directive to mitigate the PHP Warning and resolve this issue? As noted, it’s not an option to disable (set to none) open_basedir.

    === Plesk Reply ===

    Yes, if the open_basedir option is set to “none” PHP scripts have access to all directories on the server.

    Also as was mentioned by my colleague, if the code will be compromised and open_basedir is set to “none” value, this will lead to the bigger damage.

    I reproduced the issue in my test environment with “WP Mail SMTP plugin” and also get the following error after mail sending:

    PHP Warning: is_readable(): open_basedir restriction in effect. File(C:\Inetpub\vhosts\plesk888.com\httpdocs/wp-content/plugins/C:\Inetpub\vhosts\plesk888.com\httpdocs\wp-content\plugins\wp-mail-smtp/languages/wp-mail-smtp-en_US.mo) is not within the allowed path(s): (C:\) in C:\Inetpub\vhosts\plesk888.com\httpdocs\wp-includes\l10n.php on line 584
    From the error above I can conclude that the path duplicates itself, which is not correct.

    For further investigation I recommend you to contact “WP Mail SMTP” plugin developers and clarify which path is supposed to be added to the PHP directive. They are experts in this product and will help you to resolve the issue effectively and in short time.

    Best regards,
    Ivan Kamnev
    Technical Support Engineer
    Plesk

    ===

    Thanks, Ramsey

    Hi Slava,

    Below are the extra steps necessary to mitigate the PHP Warning caused by WP Mail SMTP, without disable (setting to none) open_basedir, which is a security concern. If you’re able to supply me with a open_basedir directive that would be great.

    Because of inconsistency absolute path to the WordPress plugin localization .mo file is concatenated with the path to the plugin directory and, as result, restricted by open_basedir PHP parameter.

    To resolve the issue install the Loco Translate plugin and created a wp-mail-smtp-en_US.po file via the plugin. Place the wp-mail-smtp-en_US.mo file in the /languages/plugins/ directory.

    Good luck resolving the issue, Ramsey

    • This reply was modified 9 months, 3 weeks ago by  ramseyb.
    Plugin Author Slava Abakumov

    (@slaffik)

    I can’t do that, as I don’t know details of your server configuration, and I have never worked with Windows-based servers.
    I can just google (the same as you):
    https://stackoverflow.com/questions/12546012/open-basedir-restriction-in-effect-but-file-is-in-the-correct-dir
    https://stackoverflow.com/questions/12546012/open-basedir-restriction-in-effect-but-file-is-in-the-correct-dir

    Check in open_basedir correct delimiters, quotes, slashes (shouldn’t they be \?) etc.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘PHP Warning – open_basedir security issue’ is closed to new replies.