BPS 2.5 caused admin dashboard to stop workring
-
I just installed BPS 2.5 on a site that was previously working fine. The site’s front end still works, and the admin sidebar is fine, but nothing appears in the admin interface’s main content area. So I’m unable to do anything, including disabling BPS.
Any ideas?
-
We have 3 reports of this problem being caused by open_basedir being configured incorrectly. open_basedir is a directive setting in your server or custom php.ini file. This is an example of the problem using example code.
PHP Error message:
[Tue Sep 19 10:53:58.081085 2017] [:error] [pid 474] [client 178.162.197.211:45144] PHP Fatal error: Uncaught exception 'RuntimeException' with message 'SplFileInfo::isDir(): open_basedir restriction in effect. File(/home/admin/web/example.com/public_html/..) is not within the allowed path(s): (/home/admin/web/example.com/public_html:/home/admin/tmp)' in /home/admin/web/example.com/public_html/wp-content/plugins/bulletproof-security/includes/general-functions.php:891\nStack trace:\n#0php.ini file directive setting:
open_basedir = /home/admin/web/example.com/public_html:/home/admin/tmpCorrection|Fix for that invalid open_basedir path setting:
Recommended: Comment out the open_basedir directive to disable it by adding a semi-colon in front of the code.
;open_basedir = /home/admin/web/example.com/public_html:/home/admin/tmpOr add all the valid paths that are required:
/home/admin/web/example.com:/home/admin/web/example.com/public_html:/home/admin/tmpOr
/home/admin/web:/home/admin/web/example.com:/home/admin/web/example.com/public_html:/home/admin/tmpWell, that certainly explains what I’m seeing.
Unfortunately, I don’t want to stop using open_basedir, and I don’t want to add the site’s parent directory to the open_basedir directive. Why does BPS need access to that directory?
Looking at the errors I’m seeing in the Apache error log (below), it seems clear that unless I disable open_basedir completely, to fix this, I’d have to add ‘/var/www’ to the open_basedir directive. Not something I want to do.
Apache error log example:
PHP Fatal error: Uncaught exception 'RuntimeException' with message 'SplFileInfo::isDir(): open_basedir restriction in effect. File(/var/www/mysite/..) is not within the allowed path(s): (/var/www/boot13)' in /var/www/mysite/wp-content/plugins/bulletproof-security/includes/general-functions.php:891 referer: https://mysite.com/If you are using open_basedir in a virtual hosting environment to separate/isolate different sites on a vhost or VPS server then open_basedir is a pratical usage of that directive. If you think or believe open_basedir offers any security protection then that is false, a myth, bad information found somewhere in a dark alley on the Internet.
Why do you believe adding the /var/www path to open_basedir would make any difference at all? Do you think it would make your server/site less secure or something? If so, that is false.
One of the things we will be looking at in BPS code is the usage of this Global:
$_SERVER['DOCUMENT_ROOT'];What we think is occurring is that some servers interpret this Global differently. ie Document Root is seen as a directory above the actual site’s Document Root folder/directory on some servers. Why that would be we really don’t have an idea about that yet.Your /var/www directory is a protected server directory. So access to the directory via HTTP/frontfacing should be impossible by default. The backend Architecture/Structure is wide open since any hacker worth anything who has gained backend access can manipulate/access/control dirs all the way to Root. In other words, open_basedir would not stop a hacker from owning a server.
- The topic ‘BPS 2.5 caused admin dashboard to stop workring’ is closed to new replies.
