I am currently creating a plugin for WordPress that will log errors in the admin area that may happen in a custom code. This log is not intended for PHP errors, which are already stored in debug.log.
It's more to help find configuration errors, for example if I have a looper for posts and I expect the post image to be set. like:
$post_img = get_the_post_thumbnail_url(123, 'full');
if ($post_img == false)
{
my_error_log ('No featured image set for post 123');
}
I'm showing this errors in a admin WP_List style so even editors could handle and solve such configuration errors. Everything works great until i tried to catch $wpdb->last_error messages! Like:
$query = $wpdb->query ('DDELETE FROM ' . $wpdb->postmeta . ' WHERE meta_key = "custom_meta";');
if ($query === false)
{
my_error_log ('Failure in wpdb->query!<br><code>' . $wpdb->last_error .'</code>');
}
The DELETE command is intentionally incorrect to generate an error message!
It is written correctly in the database with
Failure in wpdb->query!<br><code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DDELETE FROM wpdev_postmeta WHERE meta_key = "custom_meta"' at line 1</code>
But if i want to show the errors in the WP_LIST while getting the errors with function prepare_items and $wpdb->get_results('SELECT * FROM wp_my_error_log .... i only get a 404 error and nothing is displayed!
While searching the server error log files (the right one ;-) ) I found the following line:
> [:error] [pid 803349:tid 139870349313792] [client 123.XXX.XXX.XXX:0]
> ModSecurity: Access denied with code 404 (phase 4). Pattern match "You
> have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
> [file "/etc/modsecurity/conf.d/11_asl_data_loss.conf"] [line "96"] [id "361022"]
> [rev "2"] [msg "Atomicorp.com WAF Rules: Potential SQL Information Leakage"] [severity "ALERT"] [tag "no_ar"]
So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?
CodePudding user response:
It seems that this aspect of security is really important. Even Stackoverflow have a solution for this. It nested my posted error message above into special elements:
<code >
<span >Failure</span>
<span >in</span>
wpdb-&gt;query!<br><code>You have an
<span >error</span>
<span >in</span>
your SQL syntax; check the manual that corresponds
<span >to</span> your MySQL server version
<span >for</span> the right syntax
<span >to</span>
<span >use</span>
near
<span >'DDELETE</span>
FROM wpdev_postmeta WHERE meta_key =
<span >"custom_meta"</span>
' at
<span >line</span>
<span >1</span></code>
</code>
My solution was to replaced all spaces with the HTML entity . Then it also gets past the ModSecurity.
CodePudding user response:
So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?
I don't think so.
Look at the log message:
ModSecurity: Access denied with code 404 (phase 4). Pattern match "You have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
The key is the phase, which is 4 and the target: RESPONSE_BODY.
You are right that this is because of the ModSecurity (even more the used rule set), but it does not assume it's an SQL injection.
And how should I log my error then?
You should create an exclusion, which depends on URI/IP address/anything, and partially remove rule 361022, or the target RESPONSE_BODY at the rule.