skip to Main Content

I am currently creating a plugin for WordPress that will log errors in the admin area that may happen in a custom code. This log is not intended for PHP errors, which are already stored in debug.log.

It’s more to help find configuration errors, for example if I have a looper for posts and I expect the post image to be set. like:

    $post_img = get_the_post_thumbnail_url(123, 'full');

    if ($post_img == false)
    {
        my_error_log ('No featured image set for post 123');
    }

I’m showing this errors in a admin WP_List style so even editors could handle and solve such configuration errors.
Everything works great until i tried to catch $wpdb->last_error messages! Like:

    $query = $wpdb->query ('DDELETE FROM ' . $wpdb->postmeta . ' WHERE meta_key = "custom_meta";');
    if ($query === false)
    {
        my_error_log ('Failure in wpdb->query!<br><code>' . $wpdb->last_error .'</code>');
    }

The DELETE command is intentionally incorrect to generate an error message!

It is written correctly in the database with

Failure in wpdb-&gt;query!<br><code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DDELETE FROM wpdev_postmeta WHERE meta_key = "custom_meta"' at line 1</code>

But if i want to show the errors in the WP_LIST while getting the errors with function prepare_items and $wpdb->get_results(‘SELECT * FROM wp_my_error_log ….
i only get a 404 error and nothing is displayed!

While searching the server error log files (the right one 😉 ) I found the following line:

> [:error] [pid 803349:tid 139870349313792] [client 123.XXX.XXX.XXX:0]
> ModSecurity: Access denied with code 404 (phase 4). Pattern match "You
> have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
> [file "/etc/modsecurity/conf.d/11_asl_data_loss.conf"] [line "96"] [id "361022"] 
> [rev "2"] [msg "Atomicorp.com WAF Rules:  Potential SQL Information Leakage"] [severity "ALERT"] [tag "no_ar"]

So does that mean ModSecurity thinks it’s an SQL injection? And how should I log my error then?

2

Answers


  1. Chosen as BEST ANSWER

    It seems that this aspect of security is really important. Even Stackoverflow have a solution for this. It nested my posted error message above into special elements:

    <code class="hljs language-vhdl">
      <span class="hljs-literal">Failure</span>
      <span class="hljs-keyword">in</span>
      wpdb-&amp;gt;query!&lt;br&gt;&lt;code&gt;You have an
      <span class="hljs-literal">error</span>
      <span class="hljs-keyword">in</span>
      your SQL syntax; check the manual that corresponds
      <span class="hljs-keyword">to</span> your MySQL server version
      <span class="hljs-keyword">for</span> the right syntax
      <span class="hljs-keyword">to</span>
      <span class="hljs-keyword">use</span>
      near
      <span class="hljs-symbol">'DDELETE</span>
      FROM wpdev_postmeta WHERE meta_key =
      <span class="hljs-string">"custom_meta"</span>
      ' at
      <span class="hljs-literal">line</span>
      <span class="hljs-number">1</span>&lt;/code&gt;
    </code>
    

    My solution was to replaced all spaces with the HTML entity &nbsp;. Then it also gets past the ModSecurity.


  2. So does that mean ModSecurity thinks it’s an SQL injection? And how should I log my error then?

    I don’t think so.

    Look at the log message:

    ModSecurity: Access denied with code 404 (phase 4). Pattern match "You have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
    

    The key is the phase, which is 4 and the target: RESPONSE_BODY.

    You are right that this is because of the ModSecurity (even more the used rule set), but it does not assume it’s an SQL injection.

    And how should I log my error then?

    You should create an exclusion, which depends on URI/IP address/anything, and partially remove rule 361022, or the target RESPONSE_BODY at the rule.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search