phpinfo() displayed after login

Hi @josiah-s-carberry,

Can you try commenting out these lines of code and seeing if phpinfo() is still displayed?

For example:

<?php // if (!empty($inEmail)): ?>
    <?php // phpinfo(); ?>
<?php // endif ?>

It’s possible that somewhere else phpinfo() is shown to users.

Dave

• This reply was modified 6 years, 5 months ago by wfdave.
• This reply was modified 6 years, 5 months ago by wfdave.

I’ve already done that. There is no doubt that this is the code displaying phpinfo.

That’s very strange.

The menu_tools_diagnostic page should only display when an administrator is visiting the diagnostics sub-page under WordFence.

Can you take a screenshot of what it looks like when a user successfully logs in?

Is it only the phpinfo() showing or does it show more diagnostics? If another file is including menu_tools_diagnostic.php then that could explain why users are seeing phpinfo().

I found the source of the problem. I had added a filter to strip version information from scripts, as follows:

function _remove_script_version( $src ){ 
$parts = explode( '?', $src ); 	
return $parts[0]; 
} 
add_filter( 'script_loader_src', '_remove_script_version', 15, 1 );

Apparently, Wordfence does something to check some script version during login and ends up in this completely unexpected place, displaying phpinfo().

The reason for stripping out the version parameters is to reduce the volume of useless data being sent by the server over the network. Alas, Wordfence does make use of it, it seems. It would be very nice if Wordfence could explain why it needs to know script versions.

Wordfence does not need to know the script version, however it does display this information by default.

https://www.wordfence.com/help/dashboard/options/#hide-wp-version

You can choose to hide the version ticking the checkbox at All Options -> Hide WordPress version.

If you navigate to plugins/wordfence/lib/wordfenceClass.php on line 1116, you can see that we do something similar to what you have written:

if(wfConfig::get('other_hideWPVersion')){
    add_filter('style_loader_src', 'wordfence::replaceVersion');
    add_filter('script_loader_src', 'wordfence::replaceVersion');
    add_action('upgrader_process_complete', 'wordfence::hideReadme');
}

Be that as it may, the real issue is either that the variable $inEmail is unexpectedly not empty, or that there is faulty logic in displaying phpinfo() when it is not empty.

It does seem like $inEmail is unexpectedly set.

When $inEmail is true, that means the user requested diagnostics to be sent to their email. plugins/wordfence/lib/wordfenceClass.php:3004

When $inEmail is false, that means the user is viewing diagnostics within WordFence. /wp-admin/admin.php?page=WordfenceTools&subpage=diagnostics

In both cases, menu_tools_diagnostic.php is only called when the user is on the subpage within WordFence – not after login.

Can I ask if you added any additional code to your WordPress site?

Thanks!

The only place where menu_tools_diagnostic.php is required is in wp-content/plugins/wordfence/lib/wordfenceClass.php

I have a variety of filters and actions added to functions.php, including the filter mentioned previously that is somehow related to phpinfo() being executed. The other filters and actions are all very specific to various other plugins in use, such as customizing WooCommerce, Yoast, EME, Contact 7, Mailchimp interface, etc., as well as customizing the footer on most pages.

Immediately after a successful login by ANY account (not just admin role), the screen displays phpinof() output. Nothing else is displayed together with that output.

I’ve done some more digging in the matter, and I think it may be caused by another script changing or setting $_GET variables.

Note that if a page’s request has ?subpage=diagnostics or within a script there is $_GET['subpage'] = 'diagnostics', that might be the reason phpinfo() is displaying upon login.

It’s possible that one of the filters/actions are conflicting with WordFence, causing WordFence to display diagnostics without being on the diagnostics page.

Can you try disabling all of your other plugins to see if the problem persists?

I have tried a lot of things in the past week:
1) Since the problem has been in my test site, I recreated a new test site from my production site, where I have not been having this problem. Naturally, the problem disappeared on my new test site.
2) And then, without changing any filters, plugins or themes, the problem suddenly reappeared on my test site.
3) I checked my web access logs for the period before the problem reappeared, but found no behavior that might account for it.
4) I changed my ftp password, just in case someone is somehow attacking my site via that vector. That being said, Wordfence does NOT report any files that do not match the official versions.
5) I even tried disabling all plugins, then re-enabling them one by one, but then I could not reproduce the problem.

So I am left with the assumption that the problem is somehow related to data that is changing, either in the database or in browser cookies. But I cannot imagine what that might be. I am stumped and have no idea how to proceed.

Hey @josiah-s-carberry,

Sorry for the long reply. The only thing I can think of is if the host you’re running the website on is adding debugging information.

Can I have you check your php.ini? Specifically if there is anything within auto_prepend_file ( https://php.net/manual/en/ini.core.php#ini.auto-prepend-file )

This field tells PHP that whenever it executes any PHP file, that it first run this file. (Which is what I’m guessing is what is causing phpinfo to display)

It’s a real head scratcher.

I checked the auto_prepend_file, which is, of course, containing only the commands coming from Wordfence. I also checked the bootstrap.php file that is called there and did not see anything out of sorts. In any case, Wordfence itself does not report a problem in that file.

Correct me if I’m wrong, but the auto_prepend_file would be executed before anyone logs in, so if there were a problem there one might expect to see it for all sessions, no?

I have two last bits of data that might be relevant:

1) The phpinfo I see does NOT have the same header as the phpinfo displayed when manually called from within Wordfence. I see just a plain vanilla phpinfo.

2) By some miracle the display of phpinfo comes and goes. 2 days ago it appeared every time I would log in. Yesterday, it simply stopped appearing. Today, it does not appear. So, what changes? All I can think of are cookies that expire and cron jobs that run. But I cannot make the connection between them and what I am seeing.