E_NOTICE: Trying to access array offset on value of type null

8 posts by 2 authors in: Forums > CMS Builder
Last Post: May 25, 2022   (RSS)

By weblm - April 18, 2022

We started getting a lot of developer log errors with the following:

E_NOTICE: Trying to access array offset on value of type null
https://www.CLIENTDOMAIN.com/the-loop-detail.php?Family-Medical-Leave-Act-128=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),

Obviously the correct URL should be:
https://www.CLIENTDOMAIN.com/the-loop-detail.php?Family-Medical-Leave-Act-128

Seems bots or something is appending an encoded string onto the end of URLS.

Developer log doesn't show any referrer, so I'm guessing they are fishing for something?

Anyone know what they are looking for and what the best way to handle this is?  

LM

By daniel - April 21, 2022

Hey LM,

Yes, it looks like they are trying out MySQL injection strings in the URL to see if they have any luck. There are two primary things you can do to guard against these:

Most importantly is to make sure your code is not vulnerable. Make sure any user-supplied values (such as from the URL) are properly escaped (e.g. using the "mysql_escape()" function) before using them to filter/search for records on your site, such as in the getRecords() "where" parameter. It looks like you're using a details page that uses the "whereRecordNumberInUrl()" function to grab the correct record number - this is safe as it will only ever search for a number, and ignore all of the injection code.

Additionally, there are services called Web Application Firewalls (WAF) such as Cloudflare that can proactively reject suspicious requests like this. They aren't a substitute for properly secured code, but act as a good first line of defence, and can stop these sorts of requests from clogging up your logs.

Lastly, if you want help preventing the error message itself, copy in the entire error including filename and line number and I'll be better able to advise.

Thanks!

Daniel
Technical Lead
interactivetools.com

By weblm - April 22, 2022

Daniel,

Thanks for the details.  Yes I am using the standard "whereRecordNumberInUrl()" function.  Here's some more info:

One of the errors is:

E_NOTICE: Trying to access array offset on value of type null
https://www.CLIENT.com/the-loop-detail.php?Get-Preventive-Care-Back-on-Track-201=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)),
/home/CLIENT/CLIENT.com/the-loop-detail.php
Line number 34

#0 _errorlog_logErrorRecord() called at [/home/CLIENT/CLIENT.com/cmsAdmin/lib/errorlog_functions.php:64]
#1 _errorlog_catchRuntimeErrors() called at [/home/CLIENT/CLIENT.com/the-loop-detail.php:34]

Line 34 of that file

<title><?php if ($detailRecord['meta_title'] != ''): ?><?php echo $detailRecord['meta_title']; ?><?php else: ?><?php echo trim($detailRecord['title']).' | The Loop'; ?><?php endif ?></title>

All of the pages have the standard block like this:

// load detail record from 'the_loop'
list($the_loopRecords, $the_loopMetaData) = getRecords(array(
'tableName' => 'the_loop',
'where' => whereRecordNumberInUrl(0),
'loadUploads' => true,
'allowSearch' => false,
'limit' => '1',
'orderBy' => 'dragSortOrder DESC',
));
$detailRecord = @$the_loopRecords[0]; // get first record
if (!$detailRecord) { header("HTTP/1.1 301 Moved Permanently"); header( 'Location: /the-loop.php' ); } // redirect to list page if no record passed or found

// load list records from 'the_loop'
list($the_loopRecords, $the_loopMetaData) = getRecords(array(
'tableName' => 'the_loop',
'loadUploads' => false,
'allowSearch' => true,
'orderBy' => 'dragSortOrder DESC',
));

$relatedArticles = getRelatedArticles($detailRecord);
if (empty($relatedArticles)) { $recentArticles = getRecentArticles($detailRecord); }

The Apache log file shows this:

[Fri Apr 22 02:05:24.163989 2022] [:error] [pid 1405:tid 111776546576128] [client 149.104.108.14:47420] [client 149.104.108.14] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'son),' [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: son), found within ARGS:Get-Preventive-Care-Back-on-Track-201: 'nvOpzp; AND 1=1 OR (<'\\x22>iKO)),"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "www.CLIENT.com"] [uri "/the-loop-detail.php"] [unique_id "YmJv1BzcXMr4Wrpgip6P1AAAAUo"]

The client is hosted at Dreamhost and this is there Extra Security module helping to prevent these injections.

Let me know if there is anything else I can provide.  Also if there is a more secure place to upload files so only you see them, let me know and I can upload the entire file(s).

Thanks!

LM

By daniel - April 22, 2022

Hi LM,

Thanks for the additional info!

Given the error message, to get rid of the notice, you should be able to change line 34 from this:

<title><?php if ($detailRecord['meta_title'] != ''): ?><?php echo $detailRecord['meta_title']; ?><?php else: ?><?php echo trim($detailRecord['title']).' | The Loop'; ?><?php endif ?></title>

To this:

<title><?php if (!empty($detailRecord['meta_title'])): ?><?php echo $detailRecord['meta_title']; ?><?php else: ?><?php echo trim($detailRecord['title']).' | The Loop'; ?><?php endif ?></title>

ModSecurity is another well-known WAF, so it looks like you're covered there, and your getRecords() calls all look safe from that type of injection attack.

Let me know if you have any other questions!

Thanks,

Daniel
Technical Lead
interactivetools.com

By weblm - April 25, 2022

Thank you Daniel!!

Think I have a handle on making some changes to match what you have shown.   We have a bunch of echo statements that I'm now going to wrap in the PHP IF to mitigate those errors.

LM

By daniel - May 24, 2022

Hi LM,

It looks like you're probably getting errors when the page tries to do math with $current_page and finds a non-numeric value. You should be able to correct this by telling the script to force the value to be an integer by casting it like this:

else: $current_page = (int) $_GET['page'];

Let me know if that helps - if you're still getting errors, can you copy the error message here for me to check?

Thanks,

Daniel
Technical Lead
interactivetools.com

By weblm - May 25, 2022

Daniel,

Thank you so much!! This worked perfectly!!

LM