WordPress/Internet Explorer Bug That Even Affects WPMU.org

Ok, so here’s the deal…..

I stumbled across something that appears to be a WordPress bug, but I don’t have a clue why it’s happening -or how to fix it.

This bug DOES NOT appear in NetRenderer or Browsershots.org – but I have verified it happening on two local computers. I have a client who also sees this who is over a thousand miles away.

It’s happening on a lot of WordPress sites, including WPMU.org.

If I view a bad link in IE on a WordPress site, I either get a completely broken page – or I get a jumbled mess of unformatted content.

Example: In IE9 – if I visit https://premium.wpmudev.org/blog/something.php I will get a broken page. Nothing shows up at all.

If I visit https://premium.wpmudev.org/blog/22 I get the result you see in the screenshot I’ve attached.

Now if I view the same pages in IE8 I get the same broken page with the first link, but I get a 404 with the second.

These same pages render fine in Chrome & Firefox! Grrr!

None of this appears when using online browser renderers which is baffling. I’ve cleared my cache and it makes no difference.

Does anyone have any ideas how to fix this issue?

This happens even if using a new setup with the default template – so I almost have to assume it’s some kind of bug with WordPress. I’ve spent a huge amount of time on this & I really hope someone has a suggestion.

Besides, it’s in the best interest of WPMU.org not to have folks seeing what I’m seeing. ; )

I appreciate any ideas you might have. Check your own sites in IE9 – odds are this is happening to you too. If you don’t see it when you are logged out, try logging in and entering a bad url. I’ve noticed a difference when the cookie has been set – but only with some websites – and only in IE.

~ Corey

  • NetPotion
    • The Incredible Code Injector

    I just went back to the https://premium.wpmudev.org/blog/22 page and it actually rendered once, but then later it was goofed up again. It didn't look the same as in the first screenshot either. (See attached)

    The really weird thing is that the header & part of the page code seems to be getting stripped. Below is the code I see when I'm viewing the source.

    div><script type='text/javascript'>
    appId: '140504252690907',
    status: true,
    cookie: true,
    xfbml: true,
    oauth: true
    </script><div class=&quot;clear&quot;></div>
    <div id=&quot;mobile-searchbox&quot; style=&quot;display:none&quot;>
    <form method=&quot;get&quot; id=&quot;searchform&quot; action=&quot;https://premium.wpmudev.org/blog/&quot;>
    <input type=&quot;text&quot; class=&quot;field&quot; name=&quot;s&quot; id=&quot;s&quot; placeholder=&quot;Search&quot; />
    <input type=&quot;submit&quot; class=&quot;submit searchsubmit&quot; name=&quot;submit&quot; value=&quot;Search&quot; />
    </form> </div>
    <footer id=&quot;site-footer&quot;>
    <div id=&quot;site-footer&quot;>
    <div id=&quot;crumbs&quot;><div class=&quot;non-current&quot;><a href=&quot;https://premium.wpmudev.org/blog/&quot;>Home</a> &raquo; </div><div class=&quot;current&quot;>Error 404</div></div> <nav>
    <div class=&quot;navigation-arrow&quot;>
    <ul id=&quot;menu-footer-3&quot; class=&quot;bottommenu&quot;><li id=&quot;menu-item-52284&quot; class=&quot;menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-52284&quot;><a href=&quot;https://premium.wpmudev.org/blog/&quot;>© 2012 WPMU.ORG</a></li>
    <li id=&quot;menu-item-52604&quot; class=&quot;menu-item menu-item-type-custom menu-item-object-custom menu-item-52604&quot;><a href=&quot;https://premium.wpmudev.org/blog/about&quot;>About</a></li>
    <li id=&quot;menu-item-52532&quot; class=&quot;menu-item menu-item-type-post_type menu-item-object-page menu-item-52532&quot;><a href=&quot;https://premium.wpmudev.org/blog/contact/&quot;>Contact</a></li>
    <li id=&quot;menu-item-52533&quot; class=&quot;menu-item menu-item-type-post_type menu-item-object-page menu-item-52533&quot;><a href=&quot;https://premium.wpmudev.org/blog/submit/&quot;>Submit News</a></li>
    <li id=&quot;menu-item-52534&quot; class=&quot;menu-item menu-item-type-post_type menu-item-object-page menu-item-52534&quot;><a href=&quot;https://premium.wpmudev.org/blog/staff/&quot;>Staff</a></li>
    <li id=&quot;menu-item-52612&quot; class=&quot;menu-item menu-item-type-post_type menu-item-object-page menu-item-52612&quot;><a href=&quot;https://premium.wpmudev.org/blog/terms-of-use/&quot;>Terms</a></li>
    <li id=&quot;menu-item-52611&quot; class=&quot;menu-item menu-item-type-post_type menu-item-object-page menu-item-52611&quot;><a href=&quot;https://premium.wpmudev.org/blog/privacy/&quot;>Privacy</a></li>
    </ul> <div class=&quot;clear&quot;></div>
    <div class=&quot;clear&quot;></div>
    <!-- Lightbox Plus v2.0.5 - 2010.07.02 - Message: 0-->
    <script type=&quot;text/javascript&quot;>
    <script type=&quot;text/javascript&quot;>var _wdcp_ajax_url=&quot;https://premium.wpmudev.org/blog/wp/wp-admin/admin-ajax.php&quot;;</script><script type=&quot;text/javascript&quot;>var _wdcp_data={&quot;post_id&quot;: 100136, &quot;fit_tabs&quot;: 1};</script><script type=&quot;text/javascript&quot; src=&quot;https://apis.google.com/js/plusone.js&quot;>{lang: &quot;en-US&quot;}</script><script type='text/javascript' src='http://s.gravatar.com/js/gprofiles.js?aa&ver=3.4.2'></script>
    <script type='text/javascript'>
    /* <![CDATA[ */
    var WPGroHo = {&quot;my_hash&quot;:&quot;&quot;};
    /* ]]> */
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp-content/plugins/jetpack/modules/wpgroho.js?ver=3.4.2'></script>
    <div style=&quot;display:none&quot;>
    <!--<script type=&quot;text/javascript&quot; src=&quot;https://apis.google.com/js/plusone.js&quot;></script>-->
    <script src=&quot;http://platform.twitter.com/widgets.js&quot; type=&quot;text/javascript&quot;></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.core.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.widget.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.mouse.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.resizable.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.draggable.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.button.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.position.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp/wp-includes/js/jquery/ui/jquery.ui.dialog.min.js?ver=1.8.20'></script>
    <script type='text/javascript' src='https://premium.wpmudev.org/blog/wp-content/plugins/lightbox-plus/js/jquery.colorbox-min.js?ver=1.3.8'></script>

    <script src=&quot;http://stats.wordpress.com/e-201244.js&quot; type=&quot;text/javascript&quot;></script>
    <script type=&quot;text/javascript&quot;>
    var load_cmc = function(){linktracker_init(8548106,0,2);};
    if ( typeof addLoadEvent != 'undefined' ) addLoadEvent(load_cmc);
    else load_cmc();

    <!-- Quantcast Tag -->
    <script type=&quot;text/javascript&quot;>
    var _qevents = _qevents || [];

    (function() {
    var elem = document.createElement('script');
    elem.src = (document.location.protocol == &quot;https:&quot; ? &quot;https://secure&quot; : &quot;http://edge&quot;) + &quot;.quantserve.com/quant.js&quot;;
    elem.async = true;
    elem.type = &quot;text/javascript&quot;;
    var scpt = document.getElementsByTagName('script')[0];
    scpt.parentNode.insertBefore(elem, scpt);


    <div style=&quot;display:none;&quot;>
    <img src=&quot;//pixel.quantserve.com/pixel/p-3bzjap166Wyqs.gif&quot; border=&quot;0&quot; height=&quot;1&quot; width=&quot;1&quot; alt=&quot;Quantcast&quot;/>
    <!-- End Quantcast tag -->


    Can no one else see this?

  • NetPotion
    • The Incredible Code Injector

    Thanks Timothy.

    I’m trying to figure out if this is actually WordPress related,or something to do with a virus.

    If anyone has IE and could just go to a few WordPress sites, enter in a bad url, and see if you get unformatted pages anywhere – it would be a great help.

    The next step is reformatting & I really don’t want to go there unless I’m as sure as possible that a virus is the problem.

  • NetPotion
    • The Incredible Code Injector

    @vladislav Thank you for looking at this.

    I *wish* it were as simple. I’ve disabled all add-on’s and I still get the same thing

    I’m getting inconsistent results though. Sometimes it renders correctly, other times it shows the un-formatted page.

    One of my clients had a Java exploit in index.php files located in 3 directories. I suspect that is what is causing this now – but multiple malware scans aren’t showing anything. The computers that are seeing this issue were exposed to the infected domain. I tried unexposed computers at a different location and I see a normal rendering of the 404’s.

    I’m thinking this might be some kind of leftover corruption after a browser hijjack – but honestly, I’m at a loss right now. I can’t pinpoint anything that proves my theory.

    If I might ask – what is your opinion? Do you think a browser hijjack could do this? Again, I’m getting inconsistent results.

    I just don’t know what to think here. I’m seeing it on two computers – both using IE. I have a client who is seeing it on two computers as well – but only in IE. All were exposed to a base64 iframe exploit.

    I’ve never seen anything quite like this.

    Thanks Vladislav

    ~ Corey

  • Vladislav
    • Dead Eye Dev


    That’s really odd, indeed. I presume you’re right in your assessment, this kind of behavior could likely be a leftover result from hijacking, or even a result of the malware removal process itself, especially seeing how you get “regular” results on non-exposed machines. To be honest, since I haven’t experienced the behavior you described myself, I’m a bit limited in ideas as to what can be done. The generic rules of thumb obviously don’t apply here – you seem to already scanned your computer(s) multiple times. Perhaps scanning it with a different tool may yield a bit different results? Anyway, if you have a limited number of computers to deal with (say, 1-3) you might want to consider just formatting and re-installing the OS, if nothing else then for a peace of mind.

  • NetPotion
    • The Incredible Code Injector

    @vladislav – That’s the way I was leaning too.

    I very much appreciate the second opinion on this one. I sure wish there were a way I could narrow down what is causing this – but without a malware definition, I’m left to guess.

    Again, thank you. I will reformat this computer and advise my client appropriately after I view the results. :^ /

    What a pain ….

    ~ Corey

  • NetPotion
    • The Incredible Code Injector

    Just thought I would update this in case it helps someone else down the road.

    The virus that was on the client site I worked on was a Java Exploit. That exploit placed “JS:smiley:ECODE-CT (trojan)” into Chrome’s appdata. Somehow that trojan affected IE, but not Chrome.

    This is verified to be the reason behind the 404 pages not rendering correctly. Once that file was removed, everything was normal. That said, I reformatted anyway.

    The way I discovered this was by running an Avast boot time scan. It hides itself extremely well otherwise. We tried to find it with MSSE, AVG, Malwarbytes Free & Corporate. I also ran Kapersky’s root kit tool and that came up clean as well. Avast was the only way I was able to figure this bugger out.

    Maybe this will save someone the multitude of hours I lost dealing wth this issue.

    NOTE: Changing Permalinks is what really triggers issues.

    Another symptom of this is that cookies start acting all weird in WordPress. You might see that the 404’s are unformatted when logged in, but the same 404 looks fine when logged out.

    This was a real pain in the ass to track down – so keep this post in mind if you read it.

    ~ Corey

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.