edipinho edipinho
  • Just popping in
  • Just popping in
  • Joined: 2003/10/15 2:57
  • From Porto Alegre - RS - BR
  • Group: Registered Users
  • Posts: 84
  • Posted on: 2011/12/27 22:30
Xoops 2.5.4 Blind SQL Injection #1
Blind SQLI Xoops 2.5.4 Xoops Protector Bypass day 0

I am layman in this matter, is this really true?





And if it is how we can avoid the attack.

dbman dbman
  • Friend of XOOPS
  • Friend of XOOPS
  • Joined: 2005/4/28 1:15
  • From Cape Breton, Nova Scotia
  • Group: Registered Users
  • Posts: 171
  • Posted on: 2011/12/27 23:10
Re: Xoops 2.5.4 Blind SQL Injection #2
Move your data folders outside of web root and ensure that your host has something like mod security installed on the web server.
edipinho edipinho
  • Just popping in
  • Just popping in
  • Joined: 2003/10/15 2:57
  • From Porto Alegre - RS - BR
  • Group: Registered Users
  • Posts: 84
  • Posted on: 2011/12/27 23:38
Re: Xoops 2.5.4 Blind SQL Injection #3
Thanks for the super quick response.
I already do all this data security behind the webroot, so I'm safe?
Mamba Mamba
  • Moderator
  • Moderator
  • Joined: 2004/4/23 14:58
  • From Ohio, USA
  • Group: Webmaster Registered Users Designer Group Super Moderator
  • Posts: 10293
  • Posted on: 2011/12/28 6:36
Re: Xoops 2.5.4 Blind SQL Injection #4
My understanding is that as long as you don't give your Admin access to a hacker, you're safe.

You need to be an Admin, to take advantage of this attack.

If you look at the video, you see that he is logging in as an Admin first....

I assume that the Core team will provide a fix for XOOPS 2.5.5, but again - it is a "low level" issue, so no reason for a major worry.
Please support XOOPS & DONATE
Use 2.5.8 | Debug | Requests | Bugs
edipinho edipinho
  • Just popping in
  • Just popping in
  • Joined: 2003/10/15 2:57
  • From Porto Alegre - RS - BR
  • Group: Registered Users
  • Posts: 84
  • Posted on: 2011/12/28 20:34
Re: Xoops 2.5.4 Blind SQL Injection #5
Thanks for the reply, I had sensed that he was as an administrator, but as I lay, I thought it was serious.
Whenever I follow the recommendations of you and never had any kind of invasion.

Once again thank you.
wishcraft wishcraft
  • Module Developer
  • Module Developer
  • Joined: 2007/5/18 16:56
  • From Marrickville South, NSW, Australia
  • Group: Registered Users
  • Posts: 3652
  • Posted on: 2011/12/28 22:12
Re: Xoops 2.5.4 Blind SQL Injection #6
I suggest you also run Xortify 3.0, this normally sort of attack is done by a bot, not a person and the honeypots will be preaware of their IP and block them.

Simon
How to effectively post a question in the Xoops forums? - Read here...
Design by: XOOPS UI/UX Team