Article saving blocked as "HTTP header injection"

Now, the autosave seems to have given up.

Hi,

Can you first ensure that you are whitelisted: “Firewall Policies > Do not block WordPress administrator (must be logged in)” is set to “Yes” ?

If it is already enabled, you may have a PHP session issue.
1. Are you behind a CDN service ?
2. Did you or your host upgrade PHP lately (most host upgraded from 5.3 last month because it is no longer supported) ?
3. When the problem occurs, can you run this script from your main WP directory and paste the output here:

<?php

if (! session_id() ) {
	session_start();
	echo 'Starting session.<br />';
} else {
	echo 'Session already started.<br />';
}

echo 'Looking for NinjaFirewall session: ';
if (! empty($_SESSION['nfw_goodguy']) ) {
	echo 'found !<br >';
} else {
	echo 'not found :(<br />';
}
echo '<br />session.cache_expire : ' . ini_get('session.cache_expire');
echo '<br />session.gc_maxlifetime : ' . ini_get('session.gc_maxlifetime');

?>

Hi,

yes, I am whitelisted. As far as I know, there is no CDN service I am behind (I would know, I suppose). My host never updates PHP themselves, they only serve the update for me to run it (I did not update in months). I ran the script, with the following output:

Session already started.
Looking for NinjaFirewall session: not found ??

session.cache_expire : 180
session.gc_maxlifetime : 1440

If it helps, I could (and would) update to PHP 5.6 now. Currently, I am on 5.4.16.

Hi,

Looking for NinjaFirewall session: not found ??

This means you are not whitelisted.

The problem would be to find out why the session is empty. It could be due to another application that cleared it, or even another site on that server sharing the same session directory.
What you can try first, is to log out and log in again so that the firewall will (hopefully) whitelist you. You could also go to the “Firewall Policies” menu and click the “Save firewall policies” button.
Then check if you are still blocked or not.

Otherwise, you can disable the rule that is blocking you (rule 151) with the rules editor. This rule is not too important.

I tried logging in again, restarting and resaving the firewall/policies, but to not avail. I updated PHP, it did not do either. Then I wrote to my hoster, and they replied:

Das Script k?nnen wir nicht ganz nachvollziehen, es prüft ob in der Session Werte bezüglich nfw_goodguy gespeichert sind obwohl die Session leer gestartet und in dieser auch nichts gespeichert wird. Au?er dies erfolgt über die firewall.php welche in der php.ini mittels auto_prepend_file angegeben ist. Insofern im Script nach session_start aber noch $_SESSION[‘nfw_goodguy’] = ‘test’; und session_write_close(); erg?nzt wird und auto_prepend_file aus der php.ini entfernt wird, wird auch die Session korrekt angelegt. Diesbezüglich würden wir Sie daher nochmals an den Entwickler verweisen.

This means, they cannot comprehend the script; apparently, it checks if in this session any values regarding nfw_goodguy are saved, although the session is started empty and nothing is saved; except via firewall.php, which is set off (?) via auto_prepend_file in the php.ini. Insofar as in the script, after session_start, the lines $_SESSION[‘nfw_goodguy’] = ‘test’; and session_write_close(); are added and auto_prepend_file is taken out of php.ini, the session is applied (?) correctly.

To be honest, I have no idea what all this means. But on the upside, even though I still get “not found” when running your script, the saving of articles seems to work again, there are no more false positives in the log, and apart from the script, everything seems OK now.

So, either way, if you want to follow up or not, thank you for your time!

Hi,

The plugin (ninjafirewall.php) sets a session flag when the admin logs in, the firewall (firewall.php) detects it and does not block him/her. However, there is no call to the “session_write_close()” function.
But sometimes, for several reasons, sessions can go wrong, time out etc.
I will assume this is what happened to you, but keep us informed if you faced again the same issue.

Hi Nintechnet!

Today I installed LayerSlider WP, and sure enough, trying to save a slider, encountered Rule #151 again. It seems to me, that even though I am logged in, things happening inside my installation are somehow not attributed to me, and therefore blocked. While this may be useful if things really are happening inside the installation without my knowledge or contribution, in this case it’s annoying. Should I just disable the rule, then?

Hi,

I too think you should disable that rule.

Did you check your firewall log? Is the blocked IP yours?

Hi,

yes, the blocked IP is and has been mine every time. I disabled it now.

Hi,

Could you check if the PHP ‘session.save_path’ is defined and writable ?
You may have a problem with session, because you should not be blocked at all as long as you are the admin.

<?php
echo 'session.save_path: ' . ($path = ini_get('session.save_path') );
echo '<br />checking if [' . $path . '] is writable: ';
if (is_writable($path) ) {
   echo 'yes, it is.';
} else {
   echo 'no, it is not.';
}
?>

Yes, here’s the output:

session.save_path: /tmp
checking if [/tmp] is writable: yes, it is.

Above, I meant, there are of course incidents with other IPs, but regarding this problem, it is always about my IP.

Hi

The session path is OK, but it seems there is something clearing your PHP session. If you are not blocked anymore while working from WP admin console, that is fine, otherwise it will be very annoying.

Now that I disabled the rule, everything is fine. I just wished it worked as it should. Maybe the PHP session is cleared oftenly because I only have a minor hosting package on a shared server? If you want, I can check with my hoster.

Hi,

I will add some code to the next release, it will show whether the admin is whitelisted or not with a red warning on the main “Overview” page.
That will make it easier to see if the session is ok or not.
But you can still ask your host about session, just in case they have a specific configuration.

I asked them, and they said there is nothing special about it. They advised me as to how I could change the cache directory, and I did, but I cannot see anything in there via Filezilla, no data or files.

Maybe the problem is my tiny hosting package. I will wait until your update!