search

herbie4 / mainwp-check-plugins-vulnerability-extension

Extension for MainWP Dashboard. Checks the child websites plugins for vulnerability using the WordFence intelligence api.
The Unlicense
8 stars 0 forks source link

Critical error during scan: Uncaught Exception: Bad version syntax on "1.1." #14

Open JosKlever opened 6 days ago

JosKlever commented 6 days ago

I've just started a scan for all sites and it stopped after a number of sites with a critical error:

Foutdetails
===========
Een fout van het type E_ERROR werd veroorzaakt op regelnummer 98 van het bestand /.../wp-content/plugins/mainwp-check-plugins-vulnerability-extension/vendor/jelix/version/lib/Parser.php. Fout bericht: Uncaught Exception: Bad version syntax on "1.1." in /.../wp-content/plugins/mainwp-check-plugins-vulnerability-extension/vendor/jelix/version/lib/Parser.php:98
Stack trace:
#0 /.../wp-content/plugins/mainwp-check-plugins-vulnerability-extension/vendor/jelix/version/lib/VersionComparator.php(186): Jelix\Version\Parser::parse()
#1 /.../wp-content/plugins/mainwp-check-plugins-vulnerability-extension/hhdev-mwpcpv.php(248): Jelix\Version\VersionComparator::compareVersion()
#2 /.../wp-content/plugins/mainwp-check-plugins-vulnerability-extension/class/class-dashboard.php(284): MainWPCheckPluginVulnerabilityActivator->hhdev_plugin_needs_update()
#3 /.../wp-includes/class-wp-hook.php(324): MainWPCheckPluginVulnerability::hhdev_mwpcpv_render_page()
#4 /.../wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters()
#5 /.../wp-includes/plugin.php(517): WP_Hook->do_action()
#6 /.../wp-admin/admin.php(259): do_action()
#7 {main}
  thrown

I'm using 1.4.3 of the plugin. Before the scan I loaded the latest Wordfence API file. On the site where the error occurred, there is no plugin or theme with a strange version number "1.1." so that shouldn't be the cause of this.

herbie4 commented 6 days ago

Themes are not scanned. No errors here, so it must be a plugin with strange version number or characters or no version number. Can you show a list of used plugins/versions from that site?

JosKlever commented 6 days ago 
Complianz | GDPR/CCPA Cookie Consent    7.1.0
Koko Analytics  1.3.14
MainWP Child    5.2
UpdraftPlus - Backup/Restore    2.24.6.26
Wordfence Security  7.11.7
WPForms Lite    1.9.1.3
WP Post Page Clone  1.2
Yoast SEO   23.6

In this case WP Post Page Clone would be my first suspect, because the others are used in many sites, so I'd guess the scan would have hit them earlier. But I don't see a "1.1." reference in the code yet.

herbie4 commented 6 days ago

Strange because from version 1.4.2 to 1.4.3 nothing changed in version compare. I tested the WP Post Page Clone on a site and it also gives me an error on scan.

JosKlever commented 6 days ago

I'm not saying that it's caused by 1.4.3. It could also exist in 1.4.2, but I didn't use it recently and this is a new maintenance client. Its good that you can at least reproduce it. Take your time though, because it's not a blocking issue for me.

JosKlever commented 6 days ago

Why is this issue closed? It's not solved yet. Also tested it with 1.5.0 and the result is the same.

JosKlever commented 6 days ago

When using the Scanner Feed with 1.5.0 the error does not occur, but with Production Feed it does.

herbie4 commented 6 days ago

Why is this issue closed? It's not solved yet. Also tested it with 1.5.0 and the result is the same.

The problem is inside the WP Post Page Clone plugin, so for now I am going to close the issue.

JosKlever commented 6 days ago

Then we can create a support topic for that plugin, but we don't know what to ask, unless we have some information about what's going wrong in your plugin. They can't test or reproduce that.

If we close this issue, the investigation stops as well... 🤔

herbie4 commented 6 days ago

If you want I can keep this open, but it won't speed up the process of solving it. ;-) When I have time I will look into it, but there is something wrong in the code as I already tested to change the header information and that did not solve it.

herbie4 commented 5 days ago

Okay, I found the problem. It is a typo in WordFence database they listed version: 1.1. as affected. So they typed in a dot too many! https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-post-page-clone/wp-post-page-clone-11-missing-authorization-to-post-disclosure

JosKlever commented 5 days ago

I'll send them a message to fix it, but is this something you can fix in your code as well to make sure it ignores it or gives a nice error? After all we can never be certain, that version numbers are exactly noted conform a certain standard.

JosKlever commented 5 days ago

Wordfence has fixed it already, so the scan finishes now without further errors on my dashboard. So if you want to handle version inconsistencies like this, you should not update your database.

I'll let it up to you if you close this issue or keep it open to adjust your plugin.

herbie4 commented 4 days ago

Fix added in pre release 1.5.1: https://github.com/herbie4/mainwp-check-plugins-vulnerability-extension/releases/tag/1.5.1 Will add a new prod release 1.4.4 later.