query-monitor
query-monitor copied to clipboard
johnbillion
Ignore invalid requests to prevent error messages
For some invalid requests served by WordPress, probably caused by bots or script kiddies attempting to load random PHP files directly thereby bypassing the WordPress stack, QM was causing warnings/errors to be logged when it attempted to access DB vars that weren't defined:
[21-May-2020 18:57:18 UTC] PHP Warning: Use of undefined constant DB_HOST - assumed 'DB_HOST' (this will throw an Error in a future version of PHP) in /var/www/neosmart.net/wordpress/wp-content/plugins/query-monitor/wp-content/db.php on line 139
[21-May-2020 18:57:18 UTC] PHP Stack trace:
[21-May-2020 18:57:18 UTC] PHP 1. {main}() /var/www/neosmart.net/wordpress/wp-admin/setup-config.php:0
[21-May-2020 18:57:18 UTC] PHP 2. require() /var/www/neosmart.net/wordpress/wp-admin/setup-config.php:33
[21-May-2020 18:57:18 UTC] PHP 3. require_wp_db() /var/www/neosmart.net/wordpress/wp-settings.php:126
[21-May-2020 18:57:18 UTC] PHP 4. require_once() /var/www/neosmart.net/wordpress/wp-includes/load.php:414
This patch aborts early if DB_USER (and, presumably, and co) are not defined.
Thanks for the pull request Mahmoud. I'd love to know under what condition ABSPATH is defined but DB_USER and co are not.
Are you able to correlate the error logs with your access logs to identify the request that was used when this error was triggered?
Yeah, I was hoping to get around to that but figured Iād file this ahead of time. It has a potential WP vulnerability feel to it.
Found it. Script kiddy accessing /blog/wp-admin/setup-config.php?step=0. Reproduces at will.
Just a gentle check-in on my end. I updated the plugin to the latest release and this patch was unapplied as a result; wondering if you need anything more from me to land this in a release?
Nope I just haven't gotten around to testing this thoroughly. I'll get to it soon! Thanks for the PR.
This got implemented in 8ea0c40d700c7e016009f9d92b521f2975003654. Thanks again for the PR š š