#1807 - Possible SQL injection attempt not detected as SQL injection attempt by Composr

By PDStig
Added 15th Feb 2015, 10:35 PM
6 views

Identifier	#1807
Issue type	Major issue (breaks an entire feature)
Title	Possible SQL injection attempt not detected as SQL injection attempt by Composr
Status	Closed (no changes needed)
Handling member	Chris Graham
Addon	securitylogging
Description	I received the following error recently: An error occurred at: http://lovinity.org/pg/reportcontent/index.php?content_type=member%27A%3D0&content_id=25&url=http%3A%3Aslash%3A%3Aslash%3Alovinity.org%3Aslash%3Apg%3Aslash%3Amembers%3Aslash%3Aview%3Aslash%3A25&redirect=http%3A%3Aslash%3A%3Aslash%3Alovinity.org%3Aslash%3Apg%3Aslash%3Amembers%3Aslash%3Aview%3Aslash%3A25 The full error details follow: A source code file is missing: hooks/systems/content_meta_aware/member'A=0 (sources/hooks/systems/content_meta_aware/member'A=0.php or an overridden equivalent to this path) (version: 9.0.16, PHP version: 5.4.36, URL: /pg/reportcontent/index.php?content_type=member'A=0&content_id=25&url=http::slash::slash:lovinity.org:slash:pg:slash:members:slash:view:slash:25&redirect=http::slash::slash:lovinity.org:slash:pg:slash:members:slash:view:slash:25)[html] An error has occurred A source code file is missing: hooks/systems/content_meta_aware/member'A=0 (sources/hooks/systems/content_meta_aware/member'A=0.php or an overridden equivalent to this path) (version: 9.0.16, PHP version: 5.4.36, URL: /pg/reportcontent/index.php?content_type=member'A=0&content_id=25&url=http::slash::slash:lovinity.org:slash:pg:slash:members:slash:view:slash:25&redirect=http::slash::slash:lovinity.org:slash:pg:slash:members:slash:view:slash:25) Notice specifically member'A=0 . This looks like an SQL injection attempt to me. However it was simply registered as a missing source file.
Steps to reproduce
Additional information	This came from the Report Content addon.
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 16th Feb 2015, 3:50 AM

Our security detection picks out specific issues in-context, or escapes to make them non-issues -- trying to spot suspicious patterns across any parameter out-of-context would lead to performance slow-down and bugs.

By Guest posted 16th Feb 2015, 3:52 AM

Thank you for your filing the report though, it probably is a malicious bot.

If they had for example ".." in this parameter, we'd pick it up as a file-system attack, as this parameter is being used in a file-system context.

By Guest posted 16th Feb 2015, 10:21 AM

Is there any way that errors can track IPs, like security logs do? That way, I can ban bots like this as well as these bots/people who keep adding random URLs to the end of /pg/ .

By Guest posted 16th Feb 2015, 10:24 AM

I'll open an issue for that. Currently you'd need to look into the raw web logs.

By Guest posted 16th Feb 2015, 10:25 AM

Alright will do. Thanks ^^