1
edipinho
Xoops 2.5.4 Blind SQL Injection
  • 2011/12/28 3:30

  • edipinho

  • Not too shy to talk

  • Posts: 107

  • Since: 2003/10/15


Blind SQLI Xoops 2.5.4 Xoops Protector Bypass day 0

I am layman in this matter, is this really true?





And if it is how we can avoid the attack.

TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8

2
dbman
Re: Xoops 2.5.4 Blind SQL Injection
  • 2011/12/28 4:10

  • dbman

  • Friend of XOOPS

  • Posts: 172

  • Since: 2005/4/28


Move your data folders outside of web root and ensure that your host has something like mod security installed on the web server.

3
edipinho
Re: Xoops 2.5.4 Blind SQL Injection
  • 2011/12/28 4:38

  • edipinho

  • Not too shy to talk

  • Posts: 107

  • Since: 2003/10/15


Thanks for the super quick response.
I already do all this data security behind the webroot, so I'm safe?
TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8

4
Mamba
Re: Xoops 2.5.4 Blind SQL Injection
  • 2011/12/28 11:36

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


My understanding is that as long as you don't give your Admin access to a hacker, you're safe.

You need to be an Admin, to take advantage of this attack.

If you look at the video, you see that he is logging in as an Admin first....

I assume that the Core team will provide a fix for XOOPS 2.5.5, but again - it is a "low level" issue, so no reason for a major worry.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

5
edipinho
Re: Xoops 2.5.4 Blind SQL Injection
  • 2011/12/29 1:34

  • edipinho

  • Not too shy to talk

  • Posts: 107

  • Since: 2003/10/15


Thanks for the reply, I had sensed that he was as an administrator, but as I lay, I thought it was serious.
Whenever I follow the recommendations of you and never had any kind of invasion.

Once again thank you.
TcheLoco

http://www.youtube.com/watch?v=p7nvXkWzJ04
http://www.youtube.com/watch?v=5QLjHTUynM0
http://www.youtube.com/watch?v=Khp0NK5t5K8

6
wishcraft
Re: Xoops 2.5.4 Blind SQL Injection

I suggest you also run Xortify 3.0, this normally sort of attack is done by a bot, not a person and the honeypots will be preaware of their IP and block them.

Simon
Resized Image
www.ohloh.net/accounts/226400

Follow, Like & Read:-

twitter.com/RegaltyFamily
github.com/Chronolabs-Cooperative
facebook.com/DrAntonyRoberts

Login

Who's Online

163 user(s) are online (101 user(s) are browsing Support Forums)


Members: 0


Guests: 163


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits