500 error after password change

  • Resolved Paul Vogel

    (@pavog)


    3 years, 4 months ago

    Hello team of Cerber Tech Inc.,

    I would like to report a problem with the WP Cerber Security, Anti-spam & Malware Scan plugin.

    My problem:
    When a user changes his password, after clicking the save button, he is redirected and he gets a “502 Bad Gateway” error. The main problem is that when the user wants to go to the main page afterwards, he gets a 500 error. The same problem also occurs when the user is logged in and I restart the Docker container of WordPress in the background.

    Solution / Workaround:
    The user has to log out somehow. Because he cannot do this himself – as the website cannot be loaded – he has to delete the cookie. More precisely, he has to delete the login / session cookie. In our case, the cookie has the following pattern: wordpress_login_XXXXXXX.

    Error analysis:
    I found out that the problem is somewhere in the plugin WP Cerber Security. Because: if I turn off the plugin and change the password or restart the Docker container, the issues do not occur.

    More detailed error analysis:
    The 500 error that occurs generates the following error message in the log:

    PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /var/www/html/wp-includes/pluggable.php on line 656, referer: https://.../edit-account/
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in Unknown on line 0, referer: https://.../edit-account/
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /var/www/html/wp-includes/class-wp-user.php on line 509
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /var/www/html/wp-includes/class-wp-fatal-error-handler.php on line 72
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /var/www/html/wp-includes/pluggable.php on line 656
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in Unknown on line 0

    I have analysed the source code and found out the following:
    The problem probably occurs when the auth / login cookie is parsed or processed. I suspect that an infinite loop occurs.
    The source code can be found here: wp-includes/pluggable.php on line 656.
    In it, the Auth-Cookie is parsed.
    The function to parse the cookie is also in the pluggable.php on line 822.
    Unfortunately, it does not say how the parameters are assigned. Maybe the default values, i.e. empty strings, are used for the cookie and scheme parameters.

    Maybe this information can help to solve the problem. I also have a list of the names of the cookies in my browser:

    • PHPSESSID
    • sec_cerber_groove
    • __stripe_mid
    • wordpress_logged_in_4d149b1d38bb29a9580e9ea2307fc398
    • sec_nRapbULfNQe_PBK
    • sec_WpcrwsAYHOqC
    • sec_cerber_groove_x_SeLDjzd4E7pI0iRQJvl3hZqWX
    • sec_A_PXanSkf
    • wp_woocommerce_session_4d149b1d38bb29a9580e9ea2307fc398
    • borlabs-cookie

    I have removed the cookie values for security reasons. If they are needed, I can send them by private message or email.

    What else I tried:

    1. On my staging / development environment I have the same setup (files + database were cloned). If I do not switch on SSL for the NGINX reverse proxy (-> use https:// instead of https://), the problem does not occur. So it seems to have something to do with the SSL / HTTPS or the detection of the reverse proxy.
    2. In a few places on the internet it is recommended to increase the memory limit. By default, we have set the memory limit to 128 MB. This has always been sufficient. For testing, we set the memory limit to 512 MB. Then the problem still occurred.
    3. If I delete the sessions of all users via the WordPress CLI (for example after the container restart), the problem still occurs.

    My setup:

    • Latest version of WordPress (5.7.2 / updated to 5.8 today)
    • Latest version of WP Cerber Security (8.9)
    • WordPress Plugins: WooCommerce, WooCommerce Germanized, Borlabs Cookie Consent Management and a few more WordPress plugins that you need for a shop. So a few extensions for WooCommerce and such. Nothing extraordinary or weird. Most of the plugins are very popular and widely used.
    • WordPress is run on a VM via Docker. The official Docker images for WordPress (from hub.docker.com/_/wordpress) are used and Docker-Compose is used to run WordPress and a MariaDB.
    • We use a NGINX reverse proxy that is switched in front of the Docker container of WordPress. The NGINX reverse proxy takes care of the accesses and the SSL certificate. The communication between the NGINX and WordPress works without SSL.
    • Settings in WP Cerber Security:
      – “Load security engine”: Legacy
      – “Site connection / My site is behind a reverse proxy”: Checked
      All other settings are left at default values. At least I think so…

    Other similar issues:

    Thank you very much in advance for your help and best regards from Germany.
    Paul

    • This topic was modified 3 years, 4 months ago by Paul Vogel. Reason: Provide more detailed info and fix some formatting issues
    • This topic was modified 3 years, 4 months ago by Paul Vogel.
Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author gioni

    (@gioni)

    Hi! Thanks for such a detailed report! We will investigate it soon.

    Plugin Author gioni

    (@gioni)

    Please confirm that the issue persists on the following configuration:

    1. WordPress 5.8
    2. WP Cerber “Load security engine” is set to “Standard mode”

    Thread Starter Paul Vogel

    (@pavog)

    Hello, yes, I can confirm that the problem still exists with WordPress 5.8 and the default mode.

    Hi. Faced the same problem.
    The problem persists in s WordPress 5.8 and default mode.

    PWS

    (@perceptionweb)

    We have been seeing this same issue and have downgraded to Cerber 8.8 as suggested in a different thread. There have not been any 500 codes since then (about a week ago), but users still seem to be having trouble with invalid cookies. They log in and then get logged out because of invalid cookies. In some cases this produces ‘Spam form submission denied’ errors on page requests and ‘Login failed’ errors on AJAX requests leading to the user’s IP being blocked as if each request is a login attempt.

    I have exactly the same problem. It all started after the sites were transferred to VDS, before that they were on shared hosting, and there is no such thing there. I also now have several other sites with exactly the same characteristics. This error also does not occur there.

    Maybe it’s in the HSTS technology
    I had it activated on VDS and deactivated on shared

    Same problem here, when our users trying to change their password and wordpress redirect to main page, they need to clear login-cookie or loggout of wordpress. But that is imposible because they cant access.

    Versión 8.9.3

    • This reply was modified 3 years, 2 months ago by chemin1989.

    I seem to be seeing something similar. The user resets their password, and then gets an error 500.

    Plugin Author gioni

    (@gioni)

    We’ve discovered a bug. A new release with a bugfix will be available soon.

    @tomslominski
    @chemin1989
    @waynemaster
    @perceptionweb
    @antinopol

    Plugin Author gioni

    (@gioni)

    It’s been fixed in the last release: https://wpcerber.com/wp-cerber-security-8-9-5/

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘500 error after password change’ is closed to new replies.