V5 NGINX | PHP 8.x Function phpinfo()

[unakriti]

Version: WPCD V5 Beta 10 | Linode | NGINX Server

Hi,

On a new NGINX site using PHP 8.1, I recently encountered fatal errors while accessing the plugins page. When I switched to PHP 7.4, things work normally. I traced the source of these errors to the WPVivid backup plugin. Their support team has confirmed their plugin to be compliant with PHP version 8.x and suggested to enable the function phpinfo() on the server while using PHP 8.x.

Error text below:

[09-Nov-2022 18:43:29 UTC] PHP Fatal error:  Uncaught Error: Call to undefined function phpinfo() in /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Math/BigInteger.php:263](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Math/BigInteger.php:263)
Stack trace:
#0 /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Crypt/RSA.php(555)](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Crypt/RSA.php(555)): Math_BigInteger->__construct()
#1 /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-crypt-addon.php(30)](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-crypt-addon.php(30)): Crypt_RSA->__construct()
#2 /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-connect-server.php(592)](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-connect-server.php(592)): WPvivid_Dashboard_Crypt->__construct()
#3 /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-updater.php(372)](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-updater.php(372)): WPvivid_Dashboard_Connect_server->get_download_link()
#4 /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-updater.php(397)](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/includes/class-wpvivid-updater.php(397)): WPvivid_Updater->get_version()
#5 /var/www/[domain.com/html/wp-includes/class-wp-hook.php(310)](http://domain.com/html/wp-includes/class-wp-hook.php(310)): WPvivid_Updater->pro_update_row()
#6 /var/www/[domain.com/html/wp-includes/class-wp-hook.php(332)](http://domain.com/html/wp-includes/class-wp-hook.php(332)): WP_Hook->apply_filters()
#7 /var/www/[domain.com/html/wp-includes/plugin.php(517)](http://domain.com/html/wp-includes/plugin.php(517)): WP_Hook->do_action()
#8 /var/www/[domain.com/html/wp-admin/includes/class-wp-plugins-list-table.php(1357)](http://domain.com/html/wp-admin/includes/class-wp-plugins-list-table.php(1357)): do_action()
#9 /var/www/[domain.com/html/wp-admin/includes/class-wp-plugins-list-table.php(695)](http://domain.com/html/wp-admin/includes/class-wp-plugins-list-table.php(695)): WP_Plugins_List_Table->single_row()
#10 /var/www/[domain.com/html/wp-admin/includes/class-wp-list-table.php(1444)](http://domain.com/html/wp-admin/includes/class-wp-list-table.php(1444)): WP_Plugins_List_Table->display_rows()
#11 /var/www/[domain.com/html/wp-admin/includes/class-wp-list-table.php(1371)](http://domain.com/html/wp-admin/includes/class-wp-list-table.php(1371)): WP_List_Table->display_rows_or_placeholder()
#12 /var/www/[domain.com/html/wp-admin/plugins.php(773)](http://domain.com/html/wp-admin/plugins.php(773)): WP_List_Table->display()
#13 {main}
  thrown in /var/www/[domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Math/BigInteger.php](http://domain.com/html/wp-content/plugins/wpvivid-backup-pro/methods/Math/BigInteger.php) on line 263

Could you please advice whether I might be missing something here with the configuration of a newly deployed server and site? Thanks

Kind regards,

[elindydotcom]

That's strange. The phpinfo function is disabled by default on both nginx and ols and it shouldn't matter the php version.

I just created a phpinfo.php file on nginx with php 7.4 and it showed no output because the phpinfo is disabled.

I wonder if wpvivid is doing something different depending on the php version it detects.

[unakriti]

Thank you.

I have shared your response with WPVivid and they are curious why the phpinfo function is disabled by default? They are saying I should enable the phpinfo function and try the plugin again.

EDIT: Here's a screenshot they shared from one of their test sites using PHP 8.x - everything works fine

Any thoughts please?

Kind regards,

[elindydotcom]

If you leave phpinfo() enabled in a shared environment then it can leak information about your server config (including any vulnerabilities) to anyone who can upload a plugin to a site on the server.

By turning it off we make it harder for would-be hackers to obtain the information. It's a little bit of security by obscurity and it is possible to get some of the info other ways. But why make it easy?

It's up to you if you want to re-enable it but the default is for us to disable it because we assume that sites will be on shared servers with untrusted users having access to wp-admin.

[unakriti]

Thanks much.

As per this document, I updated /etc/php/8.1/fpm/pool.d/domain.conf to re-enable the phpinfo function and then restarted the PHP service. The WPVivid plugin then works as expected.

Now, WPVivid says they have not changed anything for PHP 8.x. I wonder whether anything might be different with WPCD between PHP versions? For instance, I noticed the following difference in php.ini files:

In version 7.4 and 8.0, the file PHP.ini File (e.g. /etc/php/7.4/fpm/php.ini) has the following value

; This directive allows you to disable certain functions.
; It receives a comma-delimited list of function names.
; http://php.net/disable-functions
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,

However, the PHP.ini File in 8.1 (/etc/php/8.1/fpm/php.ini) has no value

; This directive allows you to disable certain functions.
; It receives a comma-delimited list of function names.
; https://php.net/disable-functions
disable_functions = 

This is merely an example (and not a causation claim) but I am trying to understand whether there could be inadvertent differences such as the above that might be making WPVivid plugin behave differently on the PHP versions?

Kind regards,

[elindydotcom]

For PHP 8.1, the restrictions are going to be held in /etc/php/8.1/fpm/pool.d/yourdomain.conf

But you will not see this file in there unless you enable 8.1 for the site (under the PHP tab for a site).

Check out this doc for a list of file locations: https://wpclouddeploy.com/documentation/wpcloud-deploy-admin/server-configuration-files/

[unakriti]

Thank you.

Are the differences in php.ini, as stated above for disable_functions directive, for different PHP versions, intentional?

PS: I enabled 8.1. and then restarted the PHP service before checking the status. Using Ubuntu 22.04

Kind regards,

[unakriti]

OLS Test Update:

I am unable to reproduce the WPVivid Pro issue on OLS running on PHP 8.x. The problem seems isolated to running WPVivid Pro plugin on NGINX with PHP 8.x. Not sure what's going on.

Kind regards,

[elindydotcom]

What version of OLS are you running?

[unakriti]

LiteSpeed/1.7.16 Open (BUILD built: Mon Oct 17 21:33:28 UTC 2022)

root@localhost:~# sudo /usr/local/lsws/bin/lshttpd -v
LiteSpeed/1.7.16 Open (BUILD built: Mon Oct 17 21:33:28 UTC 2022) 
    module versions:
    lsquic 3.1.1
    modgzip 1.1
    cache 1.64
    mod_security 1.4

Kind regards,

[unakriti]

Hi,

I just tried V5.1 (downloaded from my WPCD account) and now, like on NGINX, WPVivid Pro throws the fatal error on accessing the plugins page when installed on an OLS site.

Kind regards,

[unakriti]

Another thing with V5.1, if I try to re-enable phpinfo() from OLS Manager, it does not work. I just need to drop to the terminal and update the file /usr/local/lsws/lsphp${phpver}/etc/php/${phpver2}/litespeed/php.ini to re-enable the function.

Kind regards,

[wpcloudpanel]

OLS has been inconsistent with how it handles PHP directives in the vhost files. Usually, like NGINX, we add the PHP directives we want to enforce on each site into a site-specific vhost configuration file.

Unfortunately, somewhere along the line, OLS stopped respecting some (but not all) of those directives which is why you were seeing some of the inconsistent behavior you described above.

After discussions with the OLS folks, it became obvious this wasn't going to be resolved any time soon. So we could not continue to depend on the vhost files to enforce essential PHP directives needed to fully secure OLS sites in a shared server environment.

Starting the WPCD 5.2, we moved some of those directives into a PHP.INI file and locked down that file so that only root/sudo users can change it.

You can see an explanation of those changes here: https://wpclouddeploy.com/documentation/more/technical-upgrade-notes-for-v-5-2-x/

With these changes, the PHP functions we lock down in OLS matches the set we lock down in NGINX, which includes PHPINFO.

[unakriti]

Thank you @wpcloudpanel @elindydotcom

I tried V5.2 and also noticed the helpful comment in the OLS manager vhost php config editor about this approach.

Kind regards,