Fork me on GitHub

Search

Donat-O-Meter

Make donations with PayPal!
Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00

Learn XOOPS Core

Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

- 2 2.5 2.6 3.0 4 6 2013 Abuse adslight Android AntiHarvesting AntiMalUser AntiSpam API Apple Battlefield billige Bootstrap Captcha cell cent chronolabs Clicks content CĂN demo docek download Dresses evden eve facebook Fat floor Food for free Gateway Google Guide herre Home Honeypot HP Human HỘ IP iPhone jQuery Language Law Legal List log Loss mobile module modules Monster new newbb news NHÀ online PARK phone PHP Prevention profile project Protector publisher Rapid RESIDENCE responsive review Rights rmcommon security Sentry site Smartphone Smoking Solution Spam Studio tags tdmcreate template The Theme themes web weight Wishcraft xoops Xortify

New Users

Registering user

# 137852

cricket21

Welcome to XOOPS!




Bottom   Previous Topic   Next Topic  |  Register To Post



#1 Posted on: 2011/12/27 21:30 Xoops 2.5.4 Blind SQL Injection
Blind SQLI Xoops 2.5.4 Xoops Protector Bypass day 0

I am layman in this matter, is this really true?



And if it is how we can avoid the attack.



Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#2 Posted on: 2011/12/27 22:10 Re: Xoops 2.5.4 Blind SQL Injection
Move your data folders outside of web root and ensure that your host has something like mod security installed on the web server.

Top

dbman
Joined:
2005/4/28 0:15
From Cape Breton, Nova Scotia
Group:
Registered Users
Posts: 169
(Show More) (Show Less)


#3 Posted on: 2011/12/27 22:38 Re: Xoops 2.5.4 Blind SQL Injection
Thanks for the super quick response.
I already do all this data security behind the webroot, so I'm safe?

Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#4 Posted on: 2011/12/28 5:36 Re: Xoops 2.5.4 Blind SQL Injection
My understanding is that as long as you don't give your Admin access to a hacker, you're safe.

You need to be an Admin, to take advantage of this attack.

If you look at the video, you see that he is logging in as an Admin first....

I assume that the Core team will provide a fix for XOOPS 2.5.5, but again - it is a "low level" issue, so no reason for a major worry.

Top


Please support XOOPS & DONATE
Use 2.5.7 | Debugging | Requests | Bugs
Mamba
Joined:
2004/4/23 13:58
From Ohio, USA
Group:
Webmaster
Registered Users
Designer Group
Posts: 8092
(Show More) (Show Less)


#5 Posted on: 2011/12/28 19:34 Re: Xoops 2.5.4 Blind SQL Injection
Thanks for the reply, I had sensed that he was as an administrator, but as I lay, I thought it was serious.
Whenever I follow the recommendations of you and never had any kind of invasion.

Once again thank you.

Top


TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8
edipinho
Joined:
2003/10/15 1:57
From Porto Alegre - RS - BR
Group:
Registered Users
Posts: 84
(Show More) (Show Less)


#6 Posted on: 2011/12/28 21:12 Re: Xoops 2.5.4 Blind SQL Injection
I suggest you also run Xortify 3.0, this normally sort of attack is done by a bot, not a person and the honeypots will be preaware of their IP and block them.

Simon

Top


Resized Image
www.ohloh.net/accounts/226400

Follow, Like & Read:-

* www.twitter.com/NegativityGear
* www.sourceforge.net/projects/chronolabs/
* www.facebook.com/epsacey
wishcraft
Joined:
2007/5/18 15:56
From Marrickville South, Sydney, Australia
Group:
Registered Users
Posts: 2122
(Show More) (Show Less)







You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You can vote in polls.
You cannot attach files to posts.
You can post without approval.
You cannot use topic type.
You cannot use HTML syntax.
You cannot use signature.
You cannot create pdf.
You cannot get print page.

[Advanced Search]