SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

#4 – Undefined property on line 307

Posted in ‘AdminExile’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Friday, 09 March 2018 10:11 UTC
I've just purchased and installed the Pro version of AdminExile, and I got this error:

Notice: Undefined property: plgSystemAdminExilePro::$_fail in /www/test/plugins/system/adminexilepro/adminexilepro.php on line 307

Line 307 is the very first line of code inside "function _bruteforce", and is
if($this->_fail) return;

While there is a _fail() function on line 128, I see it performs actions rather than returning a value, so, since there also is a private property called $_failed, which happens to be initialized to a boolean value (false), I assume line 307 should be changed from
if($this->_fail) return;

to
if($this->_failed) return;

Would that be correct?

P.S. By looking at the code, I've found, on lines 119 and 54, some kind of operator in the form !\: while I do know what ! is, I have no idea what this form is: what's it actually supposed to be/do?
QvClinicWM
Tuesday, 13 March 2018 08:27 UTC
I'm still unable to use the program I bought: what should I do?
QvClinicWM
Sunday, 18 March 2018 01:13 UTC
I'm sorry - I didn't get the notification about this ticket - looking at it now.
michael
Sunday, 18 March 2018 01:15 UTC
Oh - that's just a notice - not an error. Notices don't do anything, the program continues to operate. It's like PHP saying "Hey, FYI - this thing happened"

I'll rewrite the code so it doesn't throw the notice. Expect to see a new version within the next few hours.
michael
Sunday, 18 March 2018 01:26 UTC
You were right by the way - typo, it should have been "failed" instead of "fail"

version 3.16.1 inbound!

My site automation will update the XML in about 35 minutes (your Joomla updater will recognize the new version then)

OR, you can download it from the extension page now.

Sorry for the delay in response.

I'll wait to close this ticket until I hear from you.
michael
Sunday, 18 March 2018 02:54 UTC
Re-reading your original ticket - the !\ operator is something to make my IDE be quiet. For some reason it wants me to use the root namespace for some classes/functions....but not all. I use Oracle NetBeans, but Eclipse has similar quirks.

! is, of course the "not" operator - and a "\" before a class or function is like escaping the class to the root namespace.
michael
Monday, 19 March 2018 03:03 UTC
It wasn't "just a notice", once enabled, the component didn't allow me to access the backend at all. I had to disable it from the DB and re-enable the free version (which is older).
I was almost sure that the row should have just be changed from _fail to _failed (also because, by doing just that the component does work), I only wanted to be 100% sure before proceeding.

As for the "\", thank you for explaining: I've never used either NetBeans or Eclipse (they're both written in Java, AFAIK, so they're very heavy)... I assume that enclosing the whole statement (object+member) within parentheses would solve the problem as well, like, on line 54, replacing
!\JFactory::getUser()->guest
with
!(JFactory::getUser()->guest)
Attachment
307.png
QvClinicWM
Monday, 19 March 2018 03:14 UTC
3.6.1 is out. I can see that no subscribers have yet downloaded it.

Let me know if it resolves your issue.
michael
Tuesday, 20 March 2018 09:52 UTC
I had already resolved it, I just wanted to be sure that was the right solution.
I've just downloaded the latest version and compared that file, and I see the only difference is on line 307.
I've tested the new version on a copy of the website and will install it on the live one immediately.

I'd also recommend you to modify the plugin for storing (in the database) some kind of HASH function of the access codes, rather than the plain text: there may be some kind of vulnerabilities that may allow a malicious user to gain read-only access to the DB, which is one of the reasons why the passwords are saved in that way as well in #__users table.
QvClinicWM
Tuesday, 20 March 2018 18:29 UTC
I considered that, but it prevents key recovery which was a much requested feature.

It's not authentication, having the key doesn't log you in, it just reveals the form.
michael
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.