/wp-admin/admin-ajax.php Error on WP Signin, and wp-config.php not seen by NFW w

  • Resolved ziegel

    (@ziegel)


    2 years, 11 months ago

    Hi,

    1) POST /wp-admin/admin-ajax.php
    I have a problem where on clicking Login from Plesk WordPress Toolkit, I am forwarded to WordPress special Login page managed by ‘miniOrange 2 Factor Authentication’ MFA.
    There I insert the MFA, and am transferred to the WordPress Admin Panel.
    When Ninja FireWall is turned On, I get a 403 error for (log attached):

    POST /wp-admin/admin-ajax.php

    When it’s turned Off, a cron run instead of it, and then admin panel is served.

    2) Wp-config.php not seen by wp-check.php
    Running wp-check.php I get the below results, where existing wp-confog is not presented (browser gets 500 error on some stage). My IP is white listed for it on .htaccess.

    3) Plugin can not be activated via Plesk WP Toolkit
    On Plesk WordPress Toolkit, the Ninja FW can be deactivated, but not
    Activated.

    Security tools on server include:
    .htaccess file
    ModSEcurity
    Plesk WP Toolkit Security
    Ninja FireWall
    Plesk IP FireWall

    Can you please help me find out how to to fix the above errors?

    wp-check.php results are:

    
NinjaFirewall (WP edition) troubleshooter
HTTP server	:	Apache
PHP version	:	7.4.26
PHP SAPI	:	FPM-FCGI
 	 	 
auto_prepend_file			:	/var/www/vhosts/example.com/httpdocs/wp-content/nfwlog/ninjafirewall.php
Loader's path to firewall		:	/var/www/vhosts/example.com/httpdocs/wp-content/plugins/ninjafirewall/lib/firewall.php
.htninja				:	found in /var/www/vhosts/example.com/.htninja

    And the log file, where the 403 error take place looks like this:

    
2021-12-19 21:59:56	Access	<server-ip>	200	POST /wp-cron.php?doing_wp_cron=1639943996.6477580070495605468750 HTTP/1.0	https://example.com/wp-cron.php?doing_wp_cron=1639943996.6477580070495605468750	WordPress/5.8.2; https://example.com	935	Apache SSL/TLS access
2021-12-19 21:59:58	Access	<client-ip>	200	POST /wp-login.php HTTP/1.0	https://plesk.example.com:8443/	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 OPR/82.0.4227.33	3.38 K	Apache SSL/TLS access
2021-12-19 22:00:10	Access	<client-ip>	302	POST /wp-login.php HTTP/1.0	https://example.com/wp-login.php	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 OPR/82.0.4227.33	1.83 K	Apache SSL/TLS access
2021-12-19 22:00:11	Error	<server-ip>	403	POST /wp-admin/admin-ajax.php HTTP/1.0	https://example.com/wp-admin/admin-ajax.php	WordPress/5.8.2; https://example.com	1.04 K	Apache SSL/TLS access

    `

    • This topic was modified 2 years, 11 months ago by ziegel.
    • This topic was modified 2 years, 11 months ago by ziegel.
Viewing 15 replies - 1 through 15 (of 26 total)
  • Thread Starter ziegel

    (@ziegel)

    Note: I don’t have WordPress AJAX turned On, however wehn NFW plugin is activated I see the 403 Post /wp-admin/admin-ajax.php error, and when the Plugin is deactivated, I don’t.

    Thread Starter ziegel

    (@ziegel)

    Hi,

    To my understanding the wp-check file you provide is broken for the situation where wp-config is NOT found by the check tool, and instead of reporting it was not found, the report gets broken with a 500 error on the code component where wp-config should be reported:

    https://nintechnet.com/share/wp-check.txt

    The end of this code could be found to be broken for the situation where wp-config is not in the IF and not in the ELSE IF:

    
<tr class="tdb">
	<th width="30%">wp-config.php</th>
	<td>:</td>
	<td>
	<?php
	if ( file_exists( __DIR__ . '/wp-config.php' ) ) {
		$wp_config = __DIR__ . '/wp-config.php';
		echo 'found in '. $wp_config;
	} elseif ( file_exists( dirname( __DIR__ ) . '/wp-config.php' ) ) {
		$wp_config = dirname( __DIR__ ) . '/wp-config.php';
		echo 'found in '. $wp_config;
	} else {
		echo '<font color="red">Error: cannot find your wp-config.php file</font>';
		echo '</td></tr></table></body></html>';
		exit;
	}
	?>
	</td>
</tr>
<?php
if ($wp_config) {
	@include($wp_config);
}
?>
<tr>
    Plugin Author nintechnet

    (@nintechnet)

    Is there anything in the firewall’s log (NinjaFirewall > Logs) that is related to that blocked AJAX request?

    Thread Starter ziegel

    (@ziegel)

    Hi,

    First let me share with you that the INCLUDE on the wp-check.php lines 139 and 163 broke the code, and only when un commenting it, I got the below report:

    
NinjaFirewall (WP edition) troubleshooter
HTTP server	:	Apache
PHP version	:	7.4.26
PHP SAPI	:	FPM-FCGI
 	 	 
auto_prepend_file		:	/var/www/vhosts/example.com/httpdocs/wp-content/nfwlog/ninjafirewall.php
Loader's path to firewall	:	/var/www/vhosts/example.com/httpdocs/wp-content/plugins/ninjafirewall/lib/firewall.php
.htninja			:	found in /var/www/vhosts/example.com/.htninja
wp-config.php			:	found in /var/www/vhosts/example.com/httpdocs/wp-config.php
NinjaFirewall detection		:	NinjaFirewall WP Edition is loaded (Full WAF mode)
 	 	 
Loaded INI file		:	/opt/plesk/php/7.4/etc/php.ini
user_ini.filename	:	.user.ini
user_ini.cache_ttl	:	300 seconds
User PHP INI		:	.user.ini found -
 	 	 
DOCUMENT_ROOT		:	/var/www/vhosts/example.com/httpdocs
ABSPATH				:	Warning: cannot find the ABSPATH
WordPress version	:	Warning: cannot find WordPress version

    My understanding is, that Ninja FW has no access to the configuration file .htninja nor to wp-config.php

    May I ask what can be done to fix this?
    Is it an issue with ABSPATH?

    I saw nothing on the Plugin panel log related to the ajax.

    • This reply was modified 2 years, 11 months ago by ziegel.
    • This reply was modified 2 years, 11 months ago by ziegel.
    Thread Starter ziegel

    (@ziegel)

    Seems like Plesk Toolkit has the rule:

    
#extension wp-toolkit begin
# "Block unauthorized access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files wp-config.php>
		Require all denied
</Files>

    This tool does not have white listing on it.

    What damages would it cause Ninja FW operations?

    BTW
    NFW can only be deactivated via WP Toolkit, but not activated from Plesk.

    Plugin Author nintechnet

    (@nintechnet)

    What code do you have in your .htninja? There may be an error.

    Thread Starter ziegel

    (@ziegel)

    Hi,

    I have the below code in it:

    
<?php
/*
 +=====================================================================+
 | NinjaFirewall optional configuration file                           |
 |                                                                     |
 | See: https://nintechnet.com/ninjafirewall/wp-edition/help/?htninja  |
 |                                                                     |
 +=====================================================================+
*/

// Increase the size of the data written to the log
define('NFW_MAXPAYLOAD', 300);

// =======================================================
// Single IPv4 and IPv6:
$ip_array = array( 'singel-ip' , 'singel-ip' , 'singel-ip' );
if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
   // white list it:
   return 'ALLOW';
}

// =======================================================
// CIDR (IPv4 **only**):
$cidr_array = array( 'cidr-ip-range' , 'cidr-ip-range' , 'cidr-ip-range' );
// Loop through the array:
foreach ( $cidr_array as $cidr ) {
   // Check IP vs CIDR:
   if ( ipCIDRCheck( $_SERVER['REMOTE_ADDR'], $cidr ) ) {
      // IP matches, white list it:
      return 'ALLOW';
   }
}
function ipCIDRCheck( $IP, $CIDR ) {
   list ( $subnet, $bits ) = explode( '/', $CIDR );
   $ip = ip2long( $IP );
   $subnet = ip2long( $subnet );
   $mask = -1 << ( 32 - $bits );
   $subnet &= $mask;
   return ( $ip & $mask ) == $subnet;
}
// =======================================================

// To tell NinjaFirewall where you moved your WP config file,
// use the '$wp_config' variable :
// ** NOTE: Deprecated since NinjaFirewall 3.0.1 **
// $wp_config = '/foo/bar/wp-config.php';

// Users of Cloudflare CDN:
// if (! empty($_SERVER["HTTP_CF_CONNECTING_IP"]) &&
//    filter_var($_SERVER["HTTP_CF_CONNECTING_IP"], FILTER_VALIDATE_IP) ) {
// 	$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"];
// }

// Users of Incapsula CDN:
// if (! empty($_SERVER["HTTP_INCAP_CLIENT_IP"]) &&
//    filter_var($_SERVER["HTTP_INCAP_CLIENT_IP"], FILTER_VALIDATE_IP) ) {
// 	$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_INCAP_CLIENT_IP"];
// }

// Whitelist/blacklist whatever you want:
//
// Return codes:
// 	'ALLOW' == Allow and stop filtering (whitelist).
// 	'BLOCK' == Reject immediately (blacklist).
//
// Any other return code will be ignored
//
// Note that if you use 'ALLOW'/'BLOCK', nothing will be written
// to the firewall log.

// Whitelist single IP 1.2.3.4:
// if ( $_SERVER["REMOTE_ADDR"] == '1.2.3.4' ) {
// 	return 'ALLOW'; // whitelist
// }

// Whitelist SINGLE IPs 1.1.1.1, 2.2.2.2 and 3.3.3.3:
//$ip_array = array( 'single-ip' , 'single-ip' , 'single-ip' );
//if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
//	return 'ALLOW'; // whitelist
// }

// Whitelist all IPs from 1.1.1.1 to 1.1.1.255:
// if ( preg_match( '/^1\.1\.1\.\d+$/', $_SERVER["REMOTE_ADDR"] ) ) {
// 	return 'ALLOW'; // whitelist
// }

// Blacklist single IP 1.2.3.4:
// if ( $_SERVER["REMOTE_ADDR"] == '1.2.3.4' ) {
// 	return 'BLOCK'; // blacklist
// }

// Blacklist IPs 1.1.1.1, 2.2.2.2 and 3.3.3.3:
// $ip_array = array( '1.1.1.1' , '2.2.2.2' , '3.3.3.3' );
// if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
// 	return 'BLOCK'; // blacklist
// }

// Blacklist all IPs from 1.1.1.1 to 1.1.1.255:
// if ( preg_match( '/^1\.1\.1\.\d+$/', $_SERVER["REMOTE_ADDR"] ) ) {
// 	return 'BLOCK'; // blacklist
// }

// Do not filter any HTTP request sent to a script located inside the /myfolder/ directory:
// if (strpos($_SERVER['SCRIPT_FILENAME'], '/myfolder/') !== FALSE) {
// 	return 'ALLOW';
// }

// Advanced filtering :
// Block immediately a POST request if it contains a 'whatever' variable
// sent to a script named 'script.php' :
// if ( isset($_POST['whatever']) && strpos($_SERVER['SCRIPT_NAME'], 'script.php') !== FALSE ) {
// 	return 'BLOCK';
// }

// do not add anything below this line.
    Thread Starter ziegel

    (@ziegel)

    The failure of wp-check is on the line:

    include(dirname(getenv('DOCUMENT_ROOT') ) . '/.htninja');

    Thread Starter ziegel

    (@ziegel)

    Note:
    Live 139 syntax is WRONG.

    include(dirname(getenv('DOCUMENT_ROOT') ) . '.htninja');

    the slash that used to be there does NOT work on a server.

    Now I’m stuck with the newly shown error regarding wp-config.php:

    Error: cannot find your wp-config.php file.

    Can you make sure there are no addiotnal errors in wp-check.php

    Any suggestions regarding solving the wp-config.php no access?

    Thread Starter ziegel

    (@ziegel)

    Ok, I have fixed things on server and managed to get all parameters including wp-config.

    Is there a special URI/search I can add to my server, to see my IP is white listed, and that for others it would fall in a NJW rule? If so, may I ask what is it?

    Important:
    The change in syntax requiring line 139 of wp-check is important.
    wp-config, can enjoy the following:

    Modified /var/www/vhosts/example.com/httpdocs/wp-config.php

    (Original)
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
(Modified)
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/var/www/vhosts/example.com/httpdocs');

    Modified open_basedir

    (Original)
{WEBSPACEROOT}{/}{:}{TMP}{/}{:}/var/lib/php/sessions
(Modified)
{WEBSPACEROOT}{/}{:}{TMP}{/}{:}/var/lib/php/sessions{:}/var/www/vhosts/example.com/httpdocs/wp-content/plugins/ninjafirewall/lib

    Modified /var/www/vhosts/example.com/httpdocs/wp-content/nfwlog/ninjafirewall.php

    (Original)
<?php
// ===============================================================//
// NinjaFirewall's loader. //
// DO NOT alter or remove it as long as NinjaFirewall is running! //
// ===============================================================//
if ( file_exists('/wp-content/plugins/ninjafirewall/lib/firewall.php') ) {
@include_once '/wp-content/plugins/ninjafirewall/lib/firewall.php';
}
// EOF

(Modified WITHOUT slash on the beginning)
<?php
// ===============================================================//
// NinjaFirewall's loader. //
// DO NOT alter or remove it as long as NinjaFirewall is running! //
// ===============================================================//
if ( file_exists('wp-content/plugins/ninjafirewall/lib/firewall.php') ) {
@include_once 'wp-content/plugins/ninjafirewall/lib/firewall.php';
}
// EOF

    Or full links:

    /var/www/vhosts/example.com/httpdocs/wp-content/plugins/ninjafirewall/lib/firewall.php

    Relevant content of /var/www/vhosts/example.com/httpdocs/.user.ini

    ; BEGIN NinjaFirewall
auto_prepend_file = "/var/www/vhosts/example.com/httpdocs/wp-content/nfwlog/ninjafirewall.php"
; END NinjaFirewall

    VERY IMPORTANT

    Restart Server

    • This reply was modified 2 years, 11 months ago by ziegel.
    • This reply was modified 2 years, 11 months ago by ziegel.
    • This reply was modified 2 years, 11 months ago by ziegel.
    Plugin Author nintechnet

    (@nintechnet)

    There’s a problem with your server configuration.
    What does the PHP echo getenv('DOCUMENT_ROOT'); return?

    Thread Starter ziegel

    (@ziegel)

    To the best of my understanding, what seems to me as forcing of a trailing slash on:

    # var/www/vhosts/system/example.com/conf/httpd_ip_default.conf

    which is placed even before Toolkit begins, seem to make Ninja FW ‘include’ fail, unless the plugin slash is removed.

    <IfModule mod_rewrite.c>
		RewriteEngine On
		RewriteCond %{HTTP_HOST} ^www\.currenge\.com$ [NC]
		RewriteRule ^(.*)$ https://currenge.com$1 [L,R=301]
</IfModule>
    Thread Starter ziegel

    (@ziegel)

    Hi,

    I assume it end already with a slash due to a server security directive…

    Thread Starter ziegel

    (@ziegel)

    After adjusting basedir and filepath as above, there was no more need for the adjustment, of the slash.

    You were about the:

    dirname(getenv('DOCUMENT_ROOT') ) . '/.htninja'

    returning:

    /var/www/vhosts/example.com/.htninja

    without the removal of the slash.

    • This reply was modified 2 years, 11 months ago by ziegel.
    Thread Starter ziegel

    (@ziegel)

    Hi,

    It seems like PHP include() behaves differently, according to OS.

    On Ubuntu unix, the echo would show slash, HOWEVER the include already adds it on its own, thus the file name should be without a slash.

    https://www.php.net/manual/en/function.include.php

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘/wp-admin/admin-ajax.php Error on WP Signin, and wp-config.php not seen by NFW w’ is closed to new replies.