Px779web review.Enjoy Free 888+200 Daily Legal Bonus

Ov3rfly
(@ov3rfly)

13 years ago
ThreeWP Activity Monitor Version 2.3

Bug 1: WordPress tried to log in ..

Some people saw already the activity WordPress tried to log in .. in their log, with an empty ?user_id= in the url.

This happens if a non-existing username is entered at login.

ThreeWP Activity Monitor does not check if the username is valid or not. It always uses property ID of $user_data object (even if object does not exist) or assumes $current_user would always exist.

Lines 566, 578:
```
$user_data = get_userdatabylogin( $username );
...
$this->sql_stats_increment( $user_data->ID, 'login_failure' );
```
Lines 997, 1001, 1021, …
```
global $current_user;
...
$user_id = $current_user->ID;				// Convenience
...
$replacements[ '%user_login%' ] = $current_user->user_login;
```
The code should be enhanced with error-checking to detect invalid usernames…

Bug 2: Undefined index: REMOTE_HOST

The variable $_SERVER['REMOTE_HOST'] is used without error-checking. Many servers do not support this variable, see also notes at php.net: Note: Your web server must be configured to create this variable. For example in Apache you’ll need HostnameLookups On inside httpd.conf for it to exist.

Line 1017:
```
'%server_http_remote_host%' => $_SERVER['REMOTE_HOST'],
```
Suggested fix:
```
'%server_http_remote_host%' => (isset($_SERVER['REMOTE_HOST'])) ? $_SERVER['REMOTE_HOST'] : @gethostbyaddr($_SERVER['REMOTE_ADDR']),
```
Same problem occurs in lines 1365, etc.

https://www.ads-software.com/extend/plugins/threewp-activity-monitor/

Viewing 5 replies - 1 through 5 (of 5 total)

edward mindreantre
(@edward-mindreantre)

12 years, 11 months ago

Fixed in next version (2.5)

tworonin
(@tworonin)

12 years, 11 months ago

Hi.

I have version 2.5 and am still seeing the “WordPress tried to log in…” messages. Was that changed or is the “Fixed in next version (2.5)” post only referring to the 2nd bug?

Thanks.

artenbe
(@artenbe)

12 years, 10 months ago

I also have version 2.5 and i still get the wordpress tried to login..

Also, it’s not possible for me to not show the passwords except for changing the code which I found somewhere on the web..

Maximum length of passwords to show when logging failed logins. Set to 0 to disable logging of failed passwords.

mine is set to 0 and I can still see all passwords…

Guy Scharf
(@guy-scharf)

12 years, 9 months ago

Running 2.5 here and seeing “WordPress tried to login…” when an invalid user id is used.

I would really like to see the invalid user id.

Thanks!

edward mindreantre
(@edward-mindreantre)

12 years, 8 months ago

Fixed in next version.