Support » Plugin: Login Security Solution » [Plugin: Login Security Solution] Errors while attempting to reset password

  • Resolved Coatastic

    (@coatastic)


    I received an email telling me that my site was under attack, when I next logged I was forced to re-set my password via email. After clicking on the link in the email and choosing a new password I get the following error when clicking on the reset password button:

    Warning: exec() has been disabled for security reasons in /home/ ... /plugins/login-security-solution/login-security-solution.php on line 1384
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 697
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 698
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 699
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 700
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 701
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 702
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 705
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 706
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 707
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 708
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 711
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 712
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 713
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 714
    
    Warning: Cannot modify header information - headers already sent by (output started at /home/ ... /plugins/login-security-solution/login-security-solution.php:1384) in /home/ ... /wp-includes/pluggable.php on line 881

    http://wordpress.org/extend/plugins/login-security-solution/

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    Hi Coatastic:

    You have safe_mode and display_errors on in your php.ini.

    First, basic security protocols dictate that display_errors should be off.

    Second, safe_mode is deprecated and has been removed in PHP 5.4, so should not be used.

    –Dan

    I agree with Dan and his statements above.

    As a side note; Dan:

    Could you not code around these issues by changing the code in the following form, from this:

    protected function is_pw_dict_program($pw) {
    		if ($this->available_dict === false) {
    			return null;
    		}
    
    		$term = escapeshellarg($pw);
    		exec("dict -m -s exact $term 2>&1", $output, $result);
    		if (!$result) {
    			return true;
    		} elseif ($result == 127) {
    			$this->available_dict = false;
    			return null;
    		}
    		return false;
    	}

    To this:

    protected function is_pw_dict_program($pw) {
    		if ($this->available_dict === false) {
    			return null;
    		}
    
    		$term = escapeshellarg($pw);
    		// Initialise the result with an error value.
    		$result = 127;
    		// Suppress errors with "@"
    		@exec("dict -m -s exact $term 2>&1", $output, $result);
    		if (!$result) {
    			return true;
    		} elseif ($result == 127) {
    			$this->available_dict = false;
    			return null;
    		}
    		return false;
    	}

    Obviously this would need to be done in both is_pw_dictionary__grep and is_pw_dict_program.

    Cheers,
    Dean.

    Thread Starter Coatastic

    (@coatastic)

    Thanks for your quick response. I’m not very well versed in php… Is this something that I would be able to fix easily? I’m not even sure where the php.ini is located.

    Plugin Author Daniel Convissor

    (@convissor)

    Hi Coatastic: Check your web host’s documentation and/or customer service department. Use search engines for any remaining questions. –Dan

    Plugin Author Daniel Convissor

    (@convissor)

    I just committed a change that will skip the exec() calls if safe_mode is on. It will be in the next release, 0.34.0, whenever that comes out.

    Dean: For future reference, pre-setting $result was unnecessary in my tests (PHP 5.2 on a Linux box).

    Nice one Dan.

    FYI: I did a quick search on the topic, it seems not only safe mode can cause the issue.

    Hosting providers can choose to disable the exec function;

    I thought the following was a nice snippet for testing:
    http://stackoverflow.com/a/8094814

    Note I haven’t reviewed your code changes they may well do this already.

    Plugin Author Daniel Convissor

    (@convissor)

    Dean:

    Great catch! Turns out the error Coatastic is seeing is from the disable_functions ini setting. I adjusted this plugin’s code accordingly and pushed it to Github.

    Also, thanks for the inspiration to finally sign up for a Stack Overflow account. I took the function from here and copied it to a new answer on that thread (upvote! :)).

    Thanks,

    –Dan

    Dan:

    Excellent work, up-voted 🙂

    Cheers,
    Dean.

    Plugin Author Daniel Convissor

    (@convissor)

    The new release, 0.34.0, is now out and has this fix in it. Coatastic, when you get a moment, I would appreciate it if you can rate the plugin and provide a “works” vote for the new release.

    I have exactly the same problem. As for the solution mentioned:

    “You have safe_mode and display_errors on in your php.ini. First, basic security protocols dictate that display_errors should be off. Second, safe_mode is deprecated and has been removed in PHP 5.4, so should not be used.”

    I have no idea how to do this. I am using doteasy hosting. I have googled this to no avail. I have now been locked out of my website for over a week and have no idea how to get back into it 🙁 I can get into it via FTP but cannot see a php.ini file anywhere.

    Any advice / direction much appreciated.

    Elaine.

    Thread Starter Coatastic

    (@coatastic)

    If you can access your files via ftp or a cpanel just delete the folder for this plug in. wp-content / plugins.

    Plugin Author Daniel Convissor

    (@convissor)

    Elainehh:

    1) If you are seeing the errors mentioned in this post, you’re not using the latest version of the plugin. Please upgrade the plugin to version 0.34.0.

    2) The bug in question just makes a mess on your screen, it doesn’t prevent you from logging in. Anyway, if you still can’t get in, you can download the latest version of the plugin to your personal computer, unzip it, the upload those files to your web server via SFTP.

    3) Ask your ISP how to adjust your php.ini settings.

    –Dan

    Thank you. I deleted the plugin files via FTP, then logged in fine & now have the new version of the plugin set up.

    Thanks for stopping my website being hacked! 🙂
    Elaine.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘[Plugin: Login Security Solution] Errors while attempting to reset password’ is closed to new replies.