SQL Injections

Rushster · August 19th, 2007, 05:34 PM

After muich turning stuff off and investigating, I think there are security issues with the latest version of photopost. We are getting SQL injections into our VB forum titles and the only script that could be possibly be remotely tied to the forums is photopost, as it uses VB authentication. I don't want to do any scremongering but I wanted to find out if there have been any other reports of this or known issues. Since removing the photopost directory from web readable the injections have stopped.

Chuck S · August 20th, 2007, 12:48 AM

Photopost has been tested and has no sql injections open to our knowledge

Further SQL injections in your forum would never be caused by Photopost. Both applications are separate from each other and there is never any code mix so there is no potential for such thing, We simply load the vb header and style and all queries for our app are done by our app and same for vb so each application runs independently of each other in most regards

LWillmann · September 4th, 2007, 12:43 PM

I have had tons of hacking issues recently. All appear to be SQL injection issues. I have done everything I could think of to secure my site. In the end I had to remove two products from my site, both of which swear have NO security issues, vbPortal 3.6.4 and Photopost Pro 5.62.

The hacking seems to have stopped since removing those two products, at least for now. So take that as it is.

Chuck S · September 4th, 2007, 04:48 PM

Well along with SQL injections your server should have direct clear cut error logs on the exact error so that should tell you where your getting your error from. Do you not have any such error logs?

LWillmann · September 4th, 2007, 05:52 PM

Quote:

Originally Posted by Chuck S

Well along with SQL injections your server should have direct clear cut error logs on the exact error so that should tell you where your getting your error from. Do you not have any such error logs?

Due to the frequency of the hacking and problems, the hosting company moved my site to a new server, but I do have a partial log from yesterday. But I don't fully understand how to decipher it, LOL.

Chuck S · September 4th, 2007, 05:55 PM

You can post the error here and lets see if I can help you out here.

LWillmann · September 5th, 2007, 07:14 AM

Ok, here's what I have been able to figure out:

On 9/3/07 (the last day and WORST day of the hacking), I downloaded a copy of the "raw access log" from the server.

That night, the I removed the galleries and portal packages from the site (deleted the files, and removed the plug-ins from the board, etc). I downloaded a backup of the database before going to bed, just in case (with all the portal and gallery data in-tact). Later that night, at some point after I went to bed, the hosting company moved the site files to a new server.

When I woke, there were only 4 tables on the new server, so I restored the database from the night before, and went to work at my day job.

I downloaded a copy of the "raw access log" from the server yesterday , 9/4/07.

I got to comparing the log files and here's what I've seen.

Looking at the log for the 3rd I saw TONS of hits from some crawler I've never heard of hitting MOSTLY PP scripts (and most of them being showphoto.php). There were a FEW hits for other scripts on the site, but virtually all the hits by that scrawler were for scripts in the galleries.

Unfortunately the host rotates logs daily and I could not get access to previous days' logs. And at this point, since the account has been move to a new server, I can't get to those logs anyway.

Then I go to the log for the 4th, and look. Not a SINGLE hit from that crawler. NOT ONE.

Seeing that there were no hits in the 2nd file, I got curious, and went and ran a search on the net for the company. I come up with a site, but it looks fake to me. Just doesn't instill much faith in me as a real company. Then I do more research on the net and see that others are having problems with the same crawler, and that yet others are having problems with a 'spoofed' version of that crawler or something. I tracerted the IP showing in my log, but it traces back to the .com of the home site, and doing a WHOIS of the .com shows one of the founder names listed on the site, but still... A look at the site doesn't leave me very confident that it's on the up and up.

Well, I was going to attach the two log files in a .zip, but it won't let me since it's bigger than 100kb.

So here's some of the lines relating to that showphoto.php file:

Quote:

38.99.13.123 - - [03/Sep/2007:01:05:56 -0400] "GET /galleries/showphoto.php?photo=244&ppuser=5 HTTP/1.0" 200 53300 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:01:07:35 -0400] "GET /galleries/showphoto.php?photo=425&size=big&cat=506&limit=last14 HTTP/1.0" 200 49075 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:01:08:28 -0400] "GET /galleries/showphoto.php?photo=328&size=big&limit=all HTTP/1.0" 200 53106 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:01:09:25 -0400] "GET /galleries/showphoto.php?photo=264&size=big&limit=all HTTP/1.0" 200 53282 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:02:42:27 -0400] "GET /galleries/showphoto.php?photo=373&size=big&limit=last7 HTTP/1.0" 200 48950 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:02:47:03 -0400] "GET /galleries/showphoto.php?photo=350&size=big&ppuser=2 HTTP/1.0" 200 53175 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:02:48:49 -0400] "GET /galleries/showphoto.php?photo=148&cat=all&size=big&limit=all HTTP/1.0" 200 53299 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:02:54:11 -0400] "GET /galleries/showphoto.php?photo=380&size=big&cat=all&limit=last14 HTTP/1.0" 200 53327 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:02:55:33 -0400] "GET /galleries/showphoto.php?photo=338&size=big&cat=last7&limit=last7 HTTP/1.0" 200 48949 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:07:19 -0400] "GET /galleries/showphoto.php?photo=154&cat=504&limit=all HTTP/1.0" 200 53184 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:07:44 -0400] "GET /galleries/showphoto.php?photo=221&size=big&cat= HTTP/1.0" 200 53087 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:09:43 -0400] "GET /galleries/showphoto.php?photo=268&size=big&cat= HTTP/1.0" 200 53041 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:11:58 -0400] "GET /galleries/showphoto.php?photo=326&size=big&cat=all&limit=all HTTP/1.0" 200 53106 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:34:51 -0400] "GET /galleries/showphoto.php?photo=412&size=big&cat=last14&limit=last14 HTTP/1.0" 200 48953 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:47:46 -0400] "GET /galleries/showphoto.php?photo=199&size=big&limit=all HTTP/1.0" 200 53297 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:03:48:05 -0400] "GET /galleries/showphoto.php?photo=171&size=big&cat=all&limit=all HTTP/1.0" 200 53291 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:01:53 -0400] "GET /galleries/showphoto.php?photo=269&cat=all&limit=all HTTP/1.0" 200 53229 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:02:33 -0400] "GET /galleries/showphoto.php?photo=404&size=big&cat=all&limit=all HTTP/1.0" 200 53190 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:03:35 -0400] "GET /galleries/showphoto.php?photo=211&size=big&cat=all&limit=all HTTP/1.0" 200 53301 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:13:53 -0400] "GET /galleries/showphoto.php?photo=273&cat=503 HTTP/1.0" 200 53009 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:15:25 -0400] "GET /galleries/showphoto.php?photo=235&cat=504&limit=all HTTP/1.0" 200 53231 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:15:58 -0400] "GET /galleries/showphoto.php?photo=213&size=big&ppuser=5 HTTP/1.0" 200 53238 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:16:46 -0400] "GET /galleries/showphoto.php?photo=202&size=big&cat=&ppuser=5 HTTP/1.0" 200 53185 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:17:40 -0400] "GET /galleries/showphoto.php?photo=236&limit=all HTTP/1.0" 200 53293 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:35:18 -0400] "GET /galleries/showphoto.php?photo=431&size=big&cat=506 HTTP/1.0" 200 53067 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:36:08 -0400] "GET /galleries/showphoto.php?photo=405&size=big&cat=506&ppuser=2 HTTP/1.0" 200 53118 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:37:54 -0400] "GET /galleries/search.php?searchid=265 HTTP/1.0" 200 42545 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:38:01 -0400] "GET /galleries/showphoto.php?photo=90&limit=all HTTP/1.0" 200 53213 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:46:03 -0400] "GET /galleries/showphoto.php?photo=175 HTTP/1.0" 200 53012 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:46:28 -0400] "GET /galleries/showphoto.php?photo=464&size=big&cat=last7&limit=last7 HTTP/1.0" 200 48949 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"
38.99.13.123 - - [03/Sep/2007:04:47:40 -0400] "GET /galleries/showphoto.php?photo=380&cat=all&size=big&limit=last14 HTTP/1.0" 200 53327 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuill.com/twiceler/robot.html)"

Chuck S · September 5th, 2007, 08:32 AM

Well we sanitize variables we use so I do see a bot trying to hack in but I tested some of those and dont see anything that causes an error on the site which meant no actual hacking I see because say for instance if you pass ppuser as a url and it is an integer only thing we nullify the variable

You can disable robots in a specific location or script on your site like so by creating a robots.txt file on your site root which tells robots GET AWAY

Here is an example which should show you how to either place a robots text file on your webroot to stop bots from entering your gallery or entire site

http://www.robotstxt.org/wc/norobots.html

Here is another

http://www.robotstxt.org/

http://www.whitehouse.gov/robots.txt

LWillmann · September 5th, 2007, 12:44 PM

I've read that the cuill.com robot breaks the rule and ignores robots.txt and still parses sites, so people are having to ban it.

So far, the site hasn't been hit since removing the gallery and portal. And from what I saw in the log, there was no significant activity on any particular portal file. The one file that got the most activity was the showphoto.php file.

So, I will go back to my log and check again and see if there is any portal file that seems to get any inordinant amount of traffic and see if I can figure out what it is.

Chuck S · September 5th, 2007, 03:12 PM

well you can also disable robots from one directory so that would be my suggestion while those urls which those bots are trying to fish in there. I tried them on my site and nothing results in a mysql error which means we properly sanitize the variables and there are no SQL INJECTIONS. If you had SQL INJECTIONS through our program we would be able to run that url you have on a photopost site and see a mysql error and thus far with your examples I see no successful creating an error so your logs show a bot is trying to spoof your site but I see no evidence of an actual INJECTION