Wpmudev-updates Plugin Issue with Pagely Cache

Pagely wanted me to inform you that there is an Issue with your WPMU Dev Plug-In which causes an issue with their cache. Here is the note from Pagely:

>>>>>>>>>>>>>>>>>>>>>>>>>

Problem: wpmudev-updates plugin was starting a php session which causes the site to bypass the Pagely cache.

----------------------------------------------------------
Code at Issue (*removed* = for privacy)
----------------------------------------------------------

HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 24 Mar 2017 00:25:32 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Link: <*removed*>; rel="https://api.w.org/", <*removed*>; rel=shortlink
Set-Cookie: PHPSESSID=*removed*; path=/
Vary: Accept-Encoding, User-Agent
X-User-Agent: standard
X-Cache-Config: 0 0
X-Cache-Status: MISS
X-Pagely-Custom: *removed*

Fix: Had to comment out the sessions so that now it hits the cache layer
----------------------------------------------------------
Fixed Code with Sessions Commented Out
(*removed* = for privacy)
----------------------------------------------------------

HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 24 Mar 2017 00:29:45 GMT
Content-Type: text/html; charset=UTF-8
Link: <*removed*>; rel="https://api.w.org/", <*removed*>; rel=shortlink
Vary: Accept-Encoding, User-Agent
X-User-Agent: standard
X-Cache-Config: 0 0
X-Cache-Status: HIT
X-Pagely-Custom: *removed*

  • Adam Czajczyk

    Hello Frank,

    I hope you're well today and thank you for passing that to us.

    I admit I'm not sure whether this is a "side effect" or if we're doing that on purpose but knowing about the code they identified would help a lot. Did you remove it from message or did they send you it with code removed "for privacy"?

    I have marked this thread as internal so from now on only you and support staff can access it so could you please share that missing code with us (which is marked as *removed* for privacy in a message above)? If they didn't send you that code, could you please ask them to share it with you?

    I'd then forward it to our developers for further investigation.

    Best regards,
    Adam

  • Dimitris

    Hey there Frank,

    hope you're doing good and don't mind chiming in here! :slight_smile:

    It seems that this HTTP call is set to skip cache.
    I'd thought that this may be true for WPMUDEV Dashboard pages only, not for whole website though! Could you please confirm this for me? Is there a cache issue for whole website?
    Please advise!

    Meanwhile, I've already asked plugin's lead dev for more info about this. As he seems to be offline now, me or another colleague of mine will keep you posted here as soon as we've got some valuable feedback.

    Warm regards,
    Dimitris

    PS. Your feedback here is highly appreciated! Some points are coming your way as a reward for reporting this! :slight_smile:

  • Frank

    Here is their response (perhaps I can put you directly in touch with Kris .. over at Pagely who knows more about this).

    "so the session start / handlers have been disabled, but the code in wpmu-dev updates plugin has the following lines and files that reference sessions."

    wpmudev-updates$ grep -Rn "session" .
    ./lib/PHPSecLib/Crypt/Random.php:119: // cascade entropy across multiple PHP instances by fixing the session and collecting all
    ./lib/PHPSecLib/Crypt/Random.php:120: // environmental variables, including the previous session data and the current session
    ./lib/PHPSecLib/Crypt/Random.php:133: // a hash of the session data before that). certainly an attacker should be assumed to have
    ./lib/PHPSecLib/Crypt/Random.php:138: // save old session data
    ./lib/PHPSecLib/Crypt/Random.php:139: $old_session_id = session_id();
    ./lib/PHPSecLib/Crypt/Random.php:140: $old_use_cookies = ini_get('session.use_cookies');
    ./lib/PHPSecLib/Crypt/Random.php:141: $old_session_cache_limiter = session_cache_limiter();
    ./lib/PHPSecLib/Crypt/Random.php:143: if ($old_session_id != '') {
    ./lib/PHPSecLib/Crypt/Random.php:144: session_write_close();
    ./lib/PHPSecLib/Crypt/Random.php:147: session_id(1);
    ./lib/PHPSecLib/Crypt/Random.php:148: ini_set('session.use_cookies', 0);
    ./lib/PHPSecLib/Crypt/Random.php:149: session_cache_limiter('');
    ./lib/PHPSecLib/Crypt/Random.php:150: // session_start();
    ./lib/PHPSecLib/Crypt/Random.php:165: session_write_close();
    ./lib/PHPSecLib/Crypt/Random.php:167: // restore old session data
    ./lib/PHPSecLib/Crypt/Random.php:168: if ($old_session_id != '') {
    ./lib/PHPSecLib/Crypt/Random.php:169: session_id($old_session_id);
    ./lib/PHPSecLib/Crypt/Random.php:170: // session_start();
    ./lib/PHPSecLib/Crypt/Random.php:171: ini_set('session.use_cookies', $old_use_cookies);
    ./lib/PHPSecLib/Crypt/Random.php:172: session_cache_limiter($old_session_cache_limiter);
    ./template/support-system.php:31: 'session.auto_start',
    ./template/support-system.php:32: 'session.cache_expire',
    ./template/support-system.php:33: 'session.cache_limiter',
    ./template/support-system.php:34: 'session.cookie_domain',
    ./template/support-system.php:35: 'session.cookie_httponly',
    ./template/support-system.php:36: 'session.cookie_lifetime',
    ./template/support-system.php:37: 'session.cookie_path',
    ./template/support-system.php:38: 'session.cookie_secure',
    ./template/support-system.php:39: 'session.gc_divisor',
    ./template/support-system.php:40: 'session.gc_maxlifetime',
    ./template/support-system.php:41: 'session.gc_probability',
    ./template/support-system.php:42: 'session.referer_check',
    ./template/support-system.php:43: 'session.save_handler',
    ./template/support-system.php:44: 'session.save_path',
    ./template/support-system.php:45: 'session.serialize_handler',
    ./template/support-system.php:46: 'session.use_cookies',
    ./template/support-system.php:47: 'session.use_only_cookies',

  • Dimitris

    Hey there Frank,

    hope you're doing good today! :slight_smile:

    I've got some feedback from our CTO Aaron stating that this part only gets triggered on WP engine servers. And even then the session part usually is skipped. So they just are putting blame in the wrong plugin most probably as this may be coming from another one.

    Let us know if there's any other feedback from Pagely.
    Warm regards,
    Dimitris

    PS. They can also reach us directly using our safe contact form here https://premium.wpmudev.org/contact/#i-have-a-different-question

  • Adam Czajczyk

    Hello Frank!

    Thank you for your replay.

    That's however a bit confusing.

    I understand from Pagely's response that they did modify the WPMU DEV Dashboard plugin files (wp-content/plugins/wpmudev-updates/lib/PHPSecLib/Crypt/Random.php) on your server. Not having an access to your FTP we cannot review it though so could you please download that particular file from your server and share it with us?

    Since you cannot add .php files to post, please post its content on pastebin.com or upload it to e.g. your Dropbox or Google Drive account and share a download link with us.

    That being said, their response does not say if commenting out these sessions helped. Did it affected the issue at all, did they say anything about that? Could you please let me know?

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.