I've just noticed the new vulnerability discovered in Wordpress and I'm trying to fix it with the following code (but with any success
<?php
$url = 'https://mywebip/wp-login.php?action=lostpassword';
$data = 'user_login=admin&redirect_to=&wp-submit=Get+New+Password';
// use key 'http' even if you send the request to https://...
$options = array(
'http' => array(
'header' => "Host: mailserver\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ". strlen($data) ."\r\n",
'method' => 'POST',
'content' => $data,
'ssl'=>array('verify_peer'=>true, 'capath'=>'/etc/ssl/certs')
)
);
$context = stream_context_create($options);
//$result = file_get_contents($url, false, $context);
$fp = stream_socket_client($url, $errno, $errstr, 30);
//stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_SSLv23_CLIENT);
$fp = fopen($url, 'r', false, $context);
if ($fp === FALSE) { /* Handle error */ }
var_dump($result);
?>
The error log I got is just like this:
PHP Warning: stream_socket_client(): unable to connect to https://mywebip/wp-login.php?action=lostpassword (Unable to find the socket transport "https" - did you forget to enable it when you configured PHP?) in /home/jorge/Escritorio/joomla.php on line 18
PHP Warning: fopen(): Peer certificate CN=`website` did not match expected CN=`mywebip' in /home/jorge/Escritorio/joomla.php on line 21
PHP Warning: fopen(): Failed to enable crypto in /home/jorge/Escritorio/joomla.php on line 21
PHP Warning: fopen(https://mywebip/wp-login.php?action=lostpassword): failed to open stream: operation failed in /home/jorge/Escritorio/joomla.php on line 21
Where mywebip represents the actual ip that hosts my website and website and mailserver the DNS directions of the services.
Thank you.
Via socket you do not specify a protocol.
http://php.net/stream_socket_client
First parameter:
remote_socket
Address to the socket to connect to.
Adress is only mywebip.
You should use CURL instead.
See http://php.net/manual/en/curl.examples.php
The other problem (with fopen(), which can handle streams with protocols!) is a malformed/wrong certificate issued by your webserver.
Use this service to debug problems with your webservers certificate:
https://www.ssllabs.com/ssltest/
Related
I have the following PHP code to send Apple Push Notifications to my app:
<?php
$body = '{"aps":{"alert":{"title":"test title","subtitle":"","body":"test body"},"badge":0,"sound":"default","additional_data":"test additional_data"}}';
$context = stream_context_create();
stream_context_set_option($context, "ssl", "local_cert", "certificate.pem");
stream_context_set_option($context, "ssl", "passphrase", "HERE_COMES_THE_PASSWORD_OF_THE_certificate.pem_FILE");
$socket = stream_socket_client("ssl://gateway.sandbox.push.apple.com:2195", $error, $errstr, 30, STREAM_CLIENT_CONNECT|STREAM_CLIENT_PERSISTENT, $context);
$msg = chr(0) . chr(0) . chr(32) . pack("H*", "HERE_COMES_MY_APPLE_PUSH_TOKEN") . pack("n", strlen($body)) . $body;
$result = fwrite($socket, $msg, strlen($msg));
fclose($socket);
?>
This code is stored on my server together with the certificate file called certificate.pem.
I'm using this code unchanged since month without any problems. Today, I noticed, that I'm not getting push notifications any more.
The PHP error log shows the following:
[23-Mar-2022 11:39:45 UTC] PHP Warning: stream_socket_client(): unable to connect to ssl://gateway.sandbox.push.apple.com:2195 (Connection timed out) in /home2/kd37875/public_html/test/index.php on line 7
[23-Mar-2022 11:39:45 UTC] PHP Warning: fwrite() expects parameter 1 to be resource, bool given in /home2/kd37875/public_html/test/index.php on line 9
[23-Mar-2022 11:39:45 UTC] PHP Warning: fclose() expects parameter 1 to be resource, bool given in /home2/kd37875/public_html/test/index.php on line 10
First, I thought, there's something wrong with the certificate file. Then, I found this: https://www.pushtry.com website. If I insert the Device Token, upload the certificate.pem file, insert the Bundle ID and a message, I'm successfully receiving a push message in my app. (There's a field for password on the website but it's also working if I don't insert it. No idea, why.) So this says me, that the certificate.pem must be okay.
Do you have any idea what I'm doing wrong? Why doesn't it work any more? Did Apple change something?
I finally solved my problem. Apple made a change to this about a year ago. No idea why it affected me only today.
This is the working code:
<?php
function sendHTTP2Push($http2_server, $apple_cert, $app_bundle_id, $message, $token) {
if(!defined('CURL_HTTP_VERSION_2_0')) {
define('CURL_HTTP_VERSION_2_0', 3);
}
$http2ch = curl_init();
curl_setopt($http2ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
curl_setopt_array($http2ch, array(
CURLOPT_URL => "{$http2_server}/3/device/{$token}",
CURLOPT_PORT => 443,
CURLOPT_HTTPHEADER => array("apns-topic: {$app_bundle_id}"),
CURLOPT_POST => TRUE,
CURLOPT_POSTFIELDS => $message,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_TIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSLCERT => realpath($apple_cert),
CURLOPT_HEADER => 1
));
$result = curl_exec($http2ch);
if($result === FALSE) {
throw new Exception('Curl failed with error: ' . curl_error($http2ch));
}
$status = curl_getinfo($http2ch, CURLINFO_HTTP_CODE);
return $status;
curl_close($http2ch);
}
$status = sendHTTP2Push('https://api.development.push.apple.com', 'certificate.pem', 'HERE_COMES_THE_APPS_BUNDLE_ID', '{"aps":{"alert":{"title":"test title","subtitle":"","body":"test body"},"badge":0,"sound":"default","additional_data":"test additional_data"}}', 'HERE_COMES_MY_APPLE_PUSH_TOKEN');
echo "Response code: ".$status;
?>
Source: https://gist.github.com/valfer/18e1052bd4b160fed86e6cbb426bb9fc
Anyone ever used CSide API? (http://www.cside.pt/UIAPI/)
I don't know what's the problem, it might be my code or the credentials.
<?php
$api_url = 'http://cside.pt/UIAPI/token';
$client_id = 'xxx';
$client_secret = 'xxx';
$opts = array('http' =>
array(
'method' => 'POST',
'header' => "Authorization: Basic"."\r\n".
base64_encode("$client_id:$client_secret")
)
);
$context = stream_context_create($opts);
$result = file_get_contents($api_url, false, $context);
print_r($result);
?>
I'm getting this error
Warning: file_get_contents(http://cside.pt/UIAPI/token): failed to open stream: HTTP request failed! in C:\xampp\htdocs\wetrig\CI\api\test.php on line 18
Fatal error: Maximum execution time of 30 seconds exceeded in
C:\xampp\htdocs\wetrig\CI\api\test.php on line 18
I really appreciate your help.
I have trouble with establishing a SSL connection.
These warnings are displayed:
Warning: stream_socket_client() [function.stream-socket-client]: Unable to set local cert chain file `D:\path\cert.pem'; Check that your cafile/capath settings include details of your certificate and its issuer in D:\path\testSll.php on line 23
Warning: stream_socket_client() [function.stream-socket-client]: failed to create an SSL handle in D:\path\testSll.php on line 23
Warning: stream_socket_client() [function.stream-socket-client]: Failed to enable crypto in D:\path\testSll.php on line 23
Warning: stream_socket_client() [function.stream-socket-client]: unable to connect to ssl://host.tld:700 (Unknown error) in D:\path\testSll.php on line 23
So I read all the question about the "Unable to set local cert chain file", but all the answer I found didn't work for me.
Here is the code I use :
$host = 'host.tld';
$port = 700;
$cert = dirname(__FILE__).'\\cert.pem'; //
$passe_phrase = 'pass';
$opts = array(
'ssl'=>array(
'local_cert' => $cert,
'passphrase' => $passe_phrase,
'verify_peer' => false
)
);
$context = stream_context_create($opts);
$fp = stream_socket_client('ssl://'.$host.':'.$port, $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
if ($fp) {
echo "OK";
} else {
echo "ERROR: $errno - $errstr<br />\n";
}
The certificate is the good one.
The script can access to the file cert.pem.
I cant find what I am missing here.
PHP version : 5.2.6
You should look at include details of your certificate and its issuer. In my case I accidentally deleted header of a file. When I return it back, the script is connecting successfully.
Before:
-----BEGIN CERTIFICATE-----
MIIFCBG+gAwIBAg...
After
Bag Attributes
friendlyName: ...
localKeyID: ...
subject=...
issuer=/C=US/... CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
MIIFCBG+gAwIBAg...
I tried to send sms using php with the help of twilio API. But I have occeured fallowing errors when running code.
my code
{require ('./twilio/Services/Twilio.php'); // Loads the library
$accountSid = 'AC****************************';
$authToken = 'ec****************************';
$client = new Services_Twilio($accountSid, $authToken);
$sms = $client->account->sms_messages->create("number", "number", "Jenny please?! I love you <3");
errors
Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in C:\wamp\www\Pizza4U\twilio\Services\Twilio\HttpStream.php on line 62
Warning: file_get_contents(): Failed to enable crypto in C:\wamp\www\Pizza4U\twilio\Services\Twilio\HttpStream.php on line 62
Is there a way to fix this. Thank you
To avoid SSL certificate issues on wampserver localhost whilst testing, make sure that you insert the following line of code:
CURLOPT_SSL_VERIFYPEER => false,
in
twilio/sdk/Twilio/Http/CurlClient.php (from line 113 onwards)
public function options($method, $url, $params = array(), $data = array(),
$headers = array(), $user = null, $password = null,
$timeout = null) {
$timeout = is_null($timeout)
? self::DEFAULT_TIMEOUT
: $timeout;
$options = $this->curlOptions + array(
CURLOPT_URL => $url,
CURLOPT_HEADER => true,
CURLOPT_RETURNTRANSFER => true,
//added here during localhost wampserver testing to avoid SSL issues
//CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_INFILESIZE => Null,
CURLOPT_HTTPHEADER => array(),
CURLOPT_TIMEOUT => $timeout,
);
Remove the line once you are in production mode. The server that you are hosted on will I'm sure have the correct bundle of trusted certificates. At least with this setting set to false, your twilio application on localhost will not be checking your localhost for SSL certificates. This avoids having to download the correct certificates and bypasses the issues completely. See pflammer's comment at https://github.com/twilio/twilio-php/issues/203.
I use this script for send post and get file and his contents and process the request
$postdata = http_build_query(
array(
'inUsername' => ''.$_REQUEST['inUsername'].'',
'inPassword' => ''.$_REQUEST['inPassword'].'',
'csfr_token' => ''.$_REQUEST['csfr_token'].''
)
);
$opts = array('http' =>
array(
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $postdata
)
);
$context = stream_context_create($opts);
$result2 = file_get_contents('http://cp.ufowebs.com/index.php', false, $context);
$result="Invalid";
if (eregi($result,$result2))
{
print '{"login":"ok"}';
}
else
{
print "ok";
header("Location:http://cp.ufowebs.com/index.php");v<meta http-equiv="refresh" content="2;url=http://cp.controlpanel.com/index.php">
}
}
?>
In local or from other url works fine , but in the same url or if go to subdomain , etc , no works and give me this error always :
Warning: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/hostdata/admin/public_html/domain_com/test_cp.php on line 94 Warning: file_get_contents(http://cp.domain.com/index.php): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/hostdata/admin/public_html/domain_com/test_cp.php on line 94 ok
I donĀ“t know why works from other domain and no into the same domain , etc
file_get_contents from URL is blocked in most hosts. Consult with your hosting provider if it is blocked or not.
The domain does simply not exist.
nsa:~# host cp.ufowebs.com
Host cp.ufowebs.com not found: 3(NXDOMAIN)
This is not firewall related nor is it because a disabled functionality on your server.
ufowebs.com does exist. If you are the owner, Mr. Klaba, you have to setup a DNS record for the subdomain or setup * wildcard subdomain to match any subdomain traffic.