If somebody buys something (woocommmerce) and thereby makes an account, s/he cannot log in using the login button in the menu. Nor the myaccount page that is sent in the order confirmation page. The login works properly when using the wp-admin page. How can this be fixed?
My hosting provider told me to start such an ajax request and tell them when I did it so they can check the logs for the problem. So what should I do in the template for the admin-ajax.php file to run? Is it enough if I just try to log in using the login button?
Okey. They told me that the server denies the ajax request for security reasons. However, it seems that the problem is a phrase that is used in an SQL injection attack (whatever this means). The “user_password” phrase is the reason. I was told that even if this was changed to “user_pass” or “userpass” that would suffice for the request to run. This causes the problem:
Here, take a look to the logs:
POST /tanfolyamok/wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
HTTP/1.1 406 Not Acceptable
Content-Type: text/html; charset=iso-8859-1
Message: Access denied with code 406 (phase 2). Pattern match “\\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\\b” at ARGS:data. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "129"] [id "950907"] [msg "SQL Injection Attack. Matched signature <user_password>"] [severity "CRITICAL"]
So the question is, that apart from switching service provider, can we do something to make the login work?
They will not disable this. However, I’d prefer if you’d just write me how to change it (in which files and how many instances), because if something doesn’t work, we can try several different field names. Thanks for the help. I hope renaming the field name will solve this issue.
Are you sure this is all I need to change? I changed all “user_password” and “user_password_repeat” instances in the four mentioned file to “userpass” and “userpass_repeat”. But it doesn’t work.
Also, I got another error, I’m not sure if this is related or new.
[Thu Sep 14 14:30:37 2017] [-:warn] [pid 1592:tid 139815135733504] [client 220.127.116.11:47850] mod_fcgid: stderr: PHP Warning: sprintf(): Too few arguments in /chroot/home/kutyatvh/tarskereso-kalauz.hu/html/wp-includes/widgets.php on line 1051
the line 1051 of widgets.php is
$args['before_widget'] = sprintf( $args['before_widget'], $widget_obj->widget_options['classname'] );
I get this error message when I try to log in using the login button, so I assume it is related. Is it?
You must be logged in to reply to this topic.