url_fopen errors in log

  • In the WP logs I get the following 3 warnings for the plugin over and over again.
    Environment:

    • WP: 6.1.1
    • PHP: 8.0.28
    • Plugin: 1.7.0
    • Trying to access array offset on value of type bool
    1. wp-content/plugins/wp-server-stats/wp-server-stats.php:249
    2. wp_server_stats->check_server_location()
      wp-content/plugins/wp-server-stats/wp-server-stats.php:663
    3. wp_server_stats->dashboard_output()
      wp-admin/includes/template.php:1409
    4. do_meta_boxes()
      wp-admin/includes/dashboard.php:274
    5. wp_dashboard()
      wp-admin/index.php:203
    1. wp-content/plugins/wp-server-stats/wp-server-stats.php:239
    2. file_get_contents()
      wp-content/plugins/wp-server-stats/wp-server-stats.php:239
    3. wp_server_stats->check_server_location()
      wp-content/plugins/wp-server-stats/wp-server-stats.php:663
    4. wp_server_stats->dashboard_output()
      wp-admin/includes/template.php:1409
    5. do_meta_boxes()
      wp-admin/includes/dashboard.php:274
    6. wp_dashboard()
      wp-admin/index.php:203
    • file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0
    1. wp-content/plugins/wp-server-stats/wp-server-stats.php:239
    2. file_get_contents()
      wp-content/plugins/wp-server-stats/wp-server-stats.php:239
    3. wp_server_stats->check_server_location()
      wp-content/plugins/wp-server-stats/wp-server-stats.php:663
    4. wp_server_stats->dashboard_output()
      wp-admin/includes/template.php:1409
    5. do_meta_boxes()
      wp-admin/includes/dashboard.php:274
    6. wp_dashboard()
      wp-admin/index.php:203
Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author iSaumya

    (@isaumya)

    Hi @toxicum,
    Looking at the log that you have shared I think this is happening because at the server level you/hosting company has disabled accessing https:// URLs as it is not https://. But do note that this is an API request which must needs to happen over HTTP instead of HTTPS as the API doesn’t allow HTTPS service for free.

    So, as says here: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0

    So, please contact your hosting company and ask them to allow that.

    Thread Starter toxicum

    (@toxicum)

    Is there a possibility to disable server location lookup at all?
    Or switch to another solution, like https://ipstack.com or using local MaxMind2 db?

    • This reply was modified 1 year, 9 months ago by toxicum.
    Plugin Author iSaumya

    (@isaumya)

    Hi @toxicum,
    Switching provider is not possible. Moreover this server configuration you have, it is specific to you. I have not seen this configuration in most servers and web hosts.

    To disable the feature you can edit the plugin code. Open and edit wp-server-stats.php file, go to line not 663 and delete that line. Here’s a screenshot: https://i.imgur.com/OIgDY8j.jpeg

    Then save the plugin file and use.

    Thread Starter toxicum

    (@toxicum)

    What about using https://ipstack.com??

    Thread Starter toxicum

    (@toxicum)

    Using http might also be a security risk, as you do not sanitize the output of check_server_location() and directly output the contents of the function. As it is http, MITM-Attacks can happen.

    Plugin Author iSaumya

    (@isaumya)

    Hi @toxicum,
    IP Stack has much lower API call limit for free users and also users needs to create account get API key and many other things to get the data. MITM attacks are not going to happen with these API requests as these requests doesn’t hold any personal data. It’s a simple API call and nothing to sanitize there. Beside the response that are being received from the API are simply getting printed and not being used for any execution.

    Finally if you wish to use HTTPS you can always get the pro version of IP API (https://members.ip-api.com/#pricing) and enter your API key in the plugin settings. As soon as you put your API key in the plugin settings, the API calls will auto switch to HTTPS as it is allowed for pro users.

    Thread Starter toxicum

    (@toxicum)

    I disagree here. If a MITM attack occurs and one injects e.g. javascript contents, the admin possibly gets compromised.

    Plugin Author iSaumya

    (@isaumya)

    Hi @toxicum,
    Yes I do agree with you slightly here. But in order to do that they literally have to read the plugin code first to see which array keys we are accessing and then passing JS to those array keys. Simply returning JS won’t work, as the plugin access very specific array keys and not take the entire response and print it. But just to be super cautious will add some escaping to those specific section and push an update.

    Plugin Author iSaumya

    (@isaumya)

    Released v1.7.1 with added escaping of the IP API data

    Thread Starter toxicum

    (@toxicum)

    But in order to do that they literally have to read the plugin code first to see which array keys we are accessing

    Thanks you fixed it, but the statement I think is questionable. Your code is readable by everyone, so an attacker can read it easily (as I did). Maybe it is a mindset thing? For me, safe coding is the highest priority.

    • This reply was modified 1 year, 8 months ago by toxicum.
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘url_fopen errors in log’ is closed to new replies.