Fork me on GitHub
Get XOOPS XOOPSXOOPS FAQFAQ ForumsForums NewsNews ThemesThemes ModulesModules
New Posts New Topics All Posts All Forums Index General Modules Themes Development International XOOPS.org

Search

Nominate XOOPS!

Learn XOOPS Core

Donat-O-Meter

Make donations with PayPal!
Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $15.00
Net Balance: $14.11
Left to go: $85.89

Donations
Anonymous ($15)Jul-20

Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

- 2 2.5 2.6 3.0 4 6 adslight Android AntiHarvesting AntiSpam API Apple Battlefield billige Blocks Bootstrap Captcha cell chronolabs CHUNG content CĂN demo docek download Dresses evden eve facebook Fat floor Food for free Gateway Google Guide herre Home Honeypot HP html5 Human HỘ IP iPhone jQuery Language List log Loss module modules Monster new newbb news NHÀ online PARK Payment phone PHP Prevention profile project Protector publisher Rapid RESIDENCE responsive review Rights rmcommon Room security Sentry site Smartphone Smarty Spam stem Studio support tag tdmcreate template The Theme themes User userlog weight xoops Xortify XPayment ZendFramework

New Users

Registering user

# 137636

mzmaker05

Welcome to XOOPS!




Bottom   Previous Topic   Next Topic  Register To Post



#1 Posted on: 2011/12/27 21:30 Xoops 2.5.4 Blind SQL Injection
Blind SQLI Xoops 2.5.4 Xoops Protector Bypass day 0

I am layman in this matter, is this really true?



And if it is how we can avoid the attack.



Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Just popping in
Just popping in
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#2 Posted on: 2011/12/27 22:10 Re: Xoops 2.5.4 Blind SQL Injection
Move your data folders outside of web root and ensure that your host has something like mod security installed on the web server.

Top

dbman
Friend of XOOPS
Friend of XOOPS
Joined:
2005/4/28 0:15
From Cape Breton, Nova Scotia
Group:
Registered Users
Posts: 169
(Show More) (Show Less)


#3 Posted on: 2011/12/27 22:38 Re: Xoops 2.5.4 Blind SQL Injection
Thanks for the super quick response.
I already do all this data security behind the webroot, so I'm safe?

Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Just popping in
Just popping in
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#4 Posted on: 2011/12/28 5:36 Re: Xoops 2.5.4 Blind SQL Injection
My understanding is that as long as you don't give your Admin access to a hacker, you're safe.

You need to be an Admin, to take advantage of this attack.

If you look at the video, you see that he is logging in as an Admin first....

I assume that the Core team will provide a fix for XOOPS 2.5.5, but again - it is a "low level" issue, so no reason for a major worry.

Top


Please support XOOPS & DONATE
Use 2.5.7 | Debugging | Requests | Bugs
Mamba
Moderator
Moderator
Joined:
2004/4/23 13:58
From Ohio, USA
Group:
Webmaster
Registered Users
Designer Group
Posts: 8032
(Show More) (Show Less)


#5 Posted on: 2011/12/28 19:34 Re: Xoops 2.5.4 Blind SQL Injection
Thanks for the reply, I had sensed that he was as an administrator, but as I lay, I thought it was serious.
Whenever I follow the recommendations of you and never had any kind of invasion.

Once again thank you.

Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Just popping in
Just popping in
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#6 Posted on: 2011/12/28 21:12 Re: Xoops 2.5.4 Blind SQL Injection
I suggest you also run Xortify 3.0, this normally sort of attack is done by a bot, not a person and the honeypots will be preaware of their IP and block them.

Simon

Top


Resized Image
www.ohloh.net/accounts/226400

Follow, Like & Read:-

* www.twitter.com/NegativityGear
* www.sourceforge.net/projects/chronolabs/
* www.facebook.com/epsacey
wishcraft
Module Developer
Module Developer
Joined:
2007/5/18 15:56
From Dulwich Hill, Sydney, Australia
Group:
Registered Users
Posts: 2119
(Show More) (Show Less)







You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You can vote in polls.
You cannot attach files to posts.
You can post without approval.
You cannot use topic type.
You cannot use HTML syntax.
You cannot use signature.

[Advanced Search]