Hello! Long-time user of your plugin and install it on every site I create!
I’ve run into a new issue for the first time. I setup a site on a new VPS server that has really strict mod_security rules. DebugPress is triggering block rules which result in 403 Forbidden errors that block site access. The blocking is only happening where the DebugPress display is enabled (if on frontend, frontend gets 403 errors, if on admin panel, admin panel gets 403 errors).
I’m sure different rules get tripped based on what debug errors are caught/displayed in DebugPress, but I’ve caught it triggering these rules:
214620 – “COMODO WAF: PHP source code leakage||site_name.com|F|3”
214940 – “COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2”
Here’s a sample audit log report:
Message: Warning. Pattern match "(?:\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/apache2/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||site_name.com|F|3"] [data "Matched Data: fopen found within RESPONSE_BODY: <!doctype html>\x0a<html lang=\x22en-US\x22>\x0a\x0a<head>\x0a <meta charset=\x22UTF-8\x22>\x0a <meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a <link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a <link rel=\x22apple-touch-icon\x22 sizes=\x22180x180\x22 href=\x22/apple-touch-icon.png\x22>\x0a <link rel=\x22icon\x22 type=\x22image/png\x22 sizes=\x2232x32\x22 href=\x22/favicon-32x32.png\x22>\x..."] [severity "ERROR
Message: Warning. Pattern match "(?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\\(\\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right ..." at MATCHED_VAR. [file "/etc/apache2/modsecurity.d/rules/comodo_free/17_Outgoing_FilterSQL.conf"] [line "91"] [id "218140"] [rev "2"] [msg "COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2"] [data "Matched Data: exif found within MATCHED_VAR: <!doctype html>\x0a<html lang=\x22en-US\x22>\x0a\x0a<head>\x0a <meta charset=\x22UTF-8\x22>\x0a <meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a <link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a <link rel=\x22apple-touch-icon\x22 sizes=\x22180x180\x22 href=\x22/apple-touch-icon.png\x22>\x0a <link rel=\x22icon\x22 type=\x22image/png\x22 sizes=\x2232x32\x22 href=\x22/favicon-32x32.png\x22>\x0a ..."] [severity "C
Message: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 9|site_name.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Pattern match "(?:\\\\\\\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\\\\\\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/apache2/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||site_name.com|F|3"] [data "Matched Data: fopen found within RESPONSE_BODY: <!doctype html>\\\\x0a<html lang=\\\\x22en-US\\\\x22>\\\\x0a\\\\x0a<head>\\\\x0a <meta charset=\\\\x22UTF-8\\\\x22>\\\\x0a <meta name=\\\\x22viewport\\\\x22 content=\\\\x22width=device-width, initial-scale=1\\\\x22>\\\\x0a <link rel=\\\\x22profile\\\\x22 href=\\\\x22https://gmpg.org/xfn/11\\\\x22>\\\\x0a <link rel=\\\\x22apple-touch-icon\\\\x22 sizes=\\\\x22180x180\\\\x22 href=\\\\x22/apple-touch-icon.png\\\\x22>\\\\x0a <link rel=\\\\x22icon\\\\x22 type=\\\\x22image/png\\\\x22 sizes=\\\\x2232x32\\\\x22 href=\\\\x22/favicon-32x32.png\\\\x22>\\\\x..."] [severity "ERROR [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Pattern match "(?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\\\\\\\\(\\\\\\\\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right ..." at MATCHED_VAR. [file "/etc/apache2/modsecurity.d/rules/comodo_free/17_Outgoing_FilterSQL.conf"] [line "91"] [id "218140"] [rev "2"] [msg "COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2"] [data "Matched Data: exif found within MATCHED_VAR: <!doctype html>\\\\x0a<html lang=\\\\x22en-US\\\\x22>\\\\x0a\\\\x0a<head>\\\\x0a <meta charset=\\\\x22UTF-8\\\\x22>\\\\x0a <meta name=\\\\x22viewport\\\\x22 content=\\\\x22width=device-width, initial-scale=1\\\\x22>\\\\x0a <link rel=\\\\x22profile\\\\x22 href=\\\\x22https://gmpg.org/xfn/11\\\\x22>\\\\x0a <link rel=\\\\x22apple-touch-icon\\\\x22 sizes=\\\\x22180x180\\\\x22 href=\\\\x22/apple-touch-icon.png\\\\x22>\\\\x0a <link rel=\\\\x22icon\\\\x22 type=\\\\x22image/png\\\\x22 sizes=\\\\x2232x32\\\\x22 href=\\\\x22/favicon-32x32.png\\\\x22>\\\\x0a ..."] [severity "C [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 9|site_name.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]
Apache-Handler: proxy:unix:/var/www/vhosts/system/site_name.com/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1727813093603815 10545643 (- - -)
Stopwatch2: 1727813093603815 10545643; combined=7027052, p1=490, p2=6118, p3=116, p4=7020029, p5=234, sr=144, sw=65, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.7 (https://www.modsecurity.org/); CWAF_Apache.
Server: Apache
WebApp-Info: "default" "SESNSITIVE_DATA_REMOVED" "-"
Engine-Mode: "ENABLED"I know there’s probably not much you can do about this on your end, but I wanted to report it anyways.
If anyone else encounters this, the only solutions are to:
1.) disable mod_security
2.) disable DebugPress
3.) disable only specific mod_security rules being tripped
I recommend #3 as the best option while actively developing and using DebugPress, but option #2 as the best option once done developing and launching the site live (and re-enable any disabled rules for the live site). You should be able to enable/disable specific rules in your web hosting admin panel, at the command line, or globally in the mod_security config file.
I’ve installed the plugin on a very slim install but the icon never appears.
What am I doing wrong? No errors in the console.
]]>Hi there,
I am using kint as a debugger with composer. See: https://kint-php.github.io/kint/
When I activate your plugin there seems to be a conflict as it also uses kint under the hood. I do not want to switch to prettyprint, but want to use kint as my debugger.
Could your plugin be modified so that the kint debugging commands are available in PHP? Like d(‘Dumped with Kint’); etc.
Best,
Sascha
Hi there,
I have this notice in my debug.log:
E_WARNING: include_once(): Failed opening 'System.php' for inclusion (include_path='.:/opt/alt/php80/usr/share/pear:/opt/alt/php80/usr/share/php:/usr/share/pear:/usr/share/php') in ~/wp-content/plugins/debugpress/core/main/Info.php on line 425
Thank you for your help!
Warm regards,
Ludovic
I have a green bug in the top right corner, white 1 in blue filed next to it. I can click anything, nothing shows up.
]]>First – I love your plugin and it is massively helping us optimize our SQL queries to make a more performant site.
However, when we activate, our php_errorlog is showing errors coming from the plugin.
Invalid argument supplied for foreach() in /home/customer/www/prehealthshadowing.com/public_html/wp-content/plugins/debugpress/core/track/Tracker.php on line 487
Do you know what this is, and can it be fixed?
]]>Hi there, thanks a lot for this plugin, really helpful!
Just wanted to let you know that currently, when trying to jump to the information-panel from within DebugPress you are directed to:
https://domainname.com/wp-admin/tools.php?page=debugpress&tab=opcache
whereas the actual link/page is located here:
https://domainname.com/wp-admin/tools.php?page=debugpress-info&tab=opcache
]]>I am noticing that DebugPress (along with some other plugins) are not working properly when a user is anonymous – or not logged in. The page renders and the “bug” button appears properly, but clicking it does not load the panels. The panel loads properly when the user logs in.
Obviously something changed in WordPress 5.6, but I wonder if it is intentional and will not be fixed by WP and so needs to be adjusted in all of the plugins where the Javascript is not loading properly. Do you have any insight here?
]]>Hey team!
Loving the plugin so far. But, on several of my test sites, I am getting lots of PHP notices. Almost all seem to be related to the HTTP panel.
Here is the most common stack trace:
[27-Oct-2020 13:43:05 UTC] PHP Notice: Trying to access array offset on value of type null in \wp-content\plugins\debugpress\core\panel\HTTP.php on line 56
[27-Oct-2020 13:43:05 UTC] PHP Stack trace:
[27-Oct-2020 13:43:05 UTC] PHP 1. shutdown_action_hook() \wp-includes\load.php:0
[27-Oct-2020 13:43:05 UTC] PHP 2. do_action() \wp-includes\load.php:1007
[27-Oct-2020 13:43:05 UTC] PHP 3. WP_Hook->do_action() \wp-includes\plugin.php:478
[27-Oct-2020 13:43:05 UTC] PHP 4. WP_Hook->apply_filters() \wp-includes\class-wp-hook.php:311
[27-Oct-2020 13:43:05 UTC] PHP 5. Dev4Press\Plugin\DebugPress\Display\Loader->debugger_content() \wp-includes\class-wp-hook.php:287
[27-Oct-2020 13:43:05 UTC] PHP 6. include() \wp-content\plugins\debugpress\core\display\Loader.php:134
[27-Oct-2020 13:43:05 UTC] PHP 7. include() \wp-content\plugins\debugpress\forms\display.php:49
[27-Oct-2020 13:43:05 UTC] PHP 8. Dev4Press\Plugin\DebugPress\Panel\HTTP->single() \wp-content\plugins\debugpress\forms\panels\http.php:8
[27-Oct-2020 13:43:05 UTC] PHP 9. Dev4Press\Plugin\DebugPress\Panel\HTTP->render_request() \wp-content\plugins\debugpress\core\panel\HTTP.php:21
The error is:
debugpress.js?ver=1.1:287 Uncaught TypeError: Cannot read property ‘toUpperCase’ of undefined
at Object.render (debugpress.js?ver=1.1:287)
at HTMLDocument.<anonymous> (debugpress.js?ver=1.1:268)
at HTMLDocument.dispatch (jquery.js?ver=1.12.4-wp:3)
at HTMLDocument.r.handle (jquery.js?ver=1.12.4-wp:3)
at Object.trigger (jquery.js?ver=1.12.4-wp:3)
at x (jquery.js?ver=1.12.4-wp:4)
at XMLHttpRequest.c (jquery.js?ver=1.12.4-wp:4)
Hi,
very nice looking debug plugin but unfortunately it doesnt work reliable.
I get on multiple content sites a blank popup with errors in the console. Empty the cache didnt resolve the problem.
Uncaught TypeError: ajax.response is undefined
render https://XXX.com/wp-content/cache/min/1/e49c28530a8eb117585641678850281f.js:227
init https://XXX.com/wp-content/cache/min/1/e49c28530a8eb117585641678850281f.js:227
jQuery 5
e49c28530a8eb117585641678850281f.js:227:20840
render https://XXX.com/wp-content/cache/min/1/e49c28530a8eb117585641678850281f.js:227
init https://XXX.com/wp-content/cache/min/1/e49c28530a8eb117585641678850281f.js:227
jQuery 5
Hi,
Great plugin, thanks for building this. Is there a way to disable the PHP error log output?
Thanks
]]>