thanks for your prompt solution. I've put the file in place and tried again with the incriminated URL, nothing to see now.
Something which irritated me: I just checked out config.php, all WIKINDX_DEBUG_* variables were already set to FALSE. Is that something I should worry about?
Thanks again
Joachim
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
same Email from the University of Hamburg to me today -- the warning
came from the central administration of the German Research Network.
The actual URL posing a threat was
The email I received from the network admin quotes "an external
trustworthy source" who provided a list of sites hosted in Germany,
which are (supposed to be) vulnerable to SQL-Injection-Attacks. The
email originates from a subsection of Germany's Federal Agency for
IT-Security, responsible for Safety of University Networking. They
have send the list of URL to the hosting universities and asked for
the sites to be taken down.
Best wishes,
Notis
Last edit: Stéphane Aulery 2024-02-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK. The problem is a worry that displaying SQL information on SQL errors will give malicious users information which they could use to accomplish SQL injections. Attached here is a new SQL.php file which deals with this if used correctly with config.php (as detailed above). Additionally, your config.php should now be amended to:
/*****START DEBUGGING CONFIGURATIONAll these should be FALSE on a production server.*****///WIKINDX_DEBUG_ERRORSandWIKINDX_DEBUG_SQLaresethereand,ifTRUE,override//WIKINDX_ERROR_REPORTINGandWIKINDX_PRINT_SQLwhicharesetinthewikindxconfigureinterface//andstoredindatabasevariablesintheconfigtable(seecore/startup/LOADCONFIG.php).//NBDEBUG_EMAILisonlyusedforSQLerrors.Ifthisisavalidemailaddress(indoublequotes)andDEBUG_ERRORSisTRUE,SQLerrors//willbeemailedratherthandisplayedonthewebpage(informationwhichmaybeusedmaliciously).WIKINDX_MAIL_SERVERmustbeTRUE//andthemailserversetupcorrectly.
public$WIKINDX_DEBUG_ERRORS=FALSE;//ValidemailaddressorFALSE;
public$WIKINDX_DEBUG_EMAIL=FALSE;
public$WIKINDX_DEBUG_SQL=FALSE;//WIKINDX_BYPASS_SMARTYCOMPILEifTRUE,thecompiledSmartytemplatesarenotusedandthetemplatesarecompiledagainforeachservercall.
public$WIKINDX_BYPASS_SMARTYCOMPILE=FALSE;/*****END DEBUGGING CONFIGURATION*****/
I've added a parameter (WIKINDX_DEBUG_EMAIL) to email SQL errors if WIKINDX_DEBUG_ERRORS is TRUE rather than displaying such errors to the web page.
Last edit: Mark Grimshaw 2014-11-26
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A new SQL.php file because the one posted here a few days ago had a minor error to do with the adding of slashes to apostrophes etc. when adding new data to the database.
thanks for your quick help. One problem though: Yesterday I noticed that the input of double quotes gets me quotes with preceding backslashes in the keyword field.
I use lots of double quotes for keywords in order to distinguish titles from ordinary keywords.
Switching magic_quotes_gpc off in the php.ini didn't help, so probably it has to do with the new code.
Best
Joachim
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That's what I noticed too Joachim hence the new SQL.php file of two days ago. Just checked and entering a keyword in double quotes does not produce slashes.
Mark
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
I've just been contacted by our university's abuse team with a warning that my WIKINDX database is open for SQL injection attacks.
It's mainly because a link as http://webbel.germanistik.uni-bonn.de/wikindx4/index.php?action=list_LISTRESOURCES_CORE&method=processGeneral&list_Order=-1%27 yields an error message which reveals the database fields.
Any tips how to turn such messages off?
Thanks
Joachim
Hi Joachim,
Place the attached SQL.php file in core/sql/.
This should work for wikindx v4.2 and up. To turn such SQL error messages off, set WIKINDX_DEBUG_ERRORS in config.php to FALSE.
I'll look into the actual cause of the error, which I can reproduce, later.
Regards,
Mark
Hi Mark,
thanks for your prompt solution. I've put the file in place and tried again with the incriminated URL, nothing to see now.
Something which irritated me: I just checked out config.php, all WIKINDX_DEBUG_* variables were already set to FALSE. Is that something I should worry about?
Thanks again
Joachim
Hi Joachim,
No it shouldn't worry you. I added a test to SQL.php to check for the condition of that variable -- that was what was missing earlier on.
I've also found the search fault so will plug it for the release.
Regards,
Mark
Dear Mark and Joachim,
same Email from the University of Hamburg to me today -- the warning
came from the central administration of the German Research Network.
The actual URL posing a threat was
action=list_LISTSOMERESOURCES_CORE&method=collectionProcess&id=241&PagingStart=-1%27
same as Joachim. My site has been taken off the net and is one
available in the University of Hamburg Network.
I have uplodaded the patch, now I have to persuade them to turn the
site back on...
Thanks for your help, Mark.
Best wishes,
Notis
Last edit: Stéphane Aulery 2024-02-20
Hmmm. Well, I've checked and that issue is solved with the patch and turning off DEBUG_ERRORS.
I wonder why this has suddenly come up twice today?
Mark
The email I received from the network admin quotes "an external
trustworthy source" who provided a list of sites hosted in Germany,
which are (supposed to be) vulnerable to SQL-Injection-Attacks. The
email originates from a subsection of Germany's Federal Agency for
IT-Security, responsible for Safety of University Networking. They
have send the list of URL to the hosting universities and asked for
the sites to be taken down.
Best wishes,
Notis
Last edit: Stéphane Aulery 2024-02-20
OK. The problem is a worry that displaying SQL information on SQL errors will give malicious users information which they could use to accomplish SQL injections. Attached here is a new SQL.php file which deals with this if used correctly with config.php (as detailed above). Additionally, your config.php should now be amended to:
I've added a parameter (WIKINDX_DEBUG_EMAIL) to email SQL errors if WIKINDX_DEBUG_ERRORS is TRUE rather than displaying such errors to the web page.
Last edit: Mark Grimshaw 2014-11-26
A new SQL.php file because the one posted here a few days ago had a minor error to do with the adding of slashes to apostrophes etc. when adding new data to the database.
Mark
Last edit: Mark Grimshaw 2014-11-30
Thank you Mark! Btw, thanks to your quick response with the patches is
my site now up and running again.
Best wishes,
Notis
Last edit: Stéphane Aulery 2024-02-20
Hi Mark,
thanks for your quick help. One problem though: Yesterday I noticed that the input of double quotes gets me quotes with preceding backslashes in the keyword field.
I use lots of double quotes for keywords in order to distinguish titles from ordinary keywords.
Switching magic_quotes_gpc off in the php.ini didn't help, so probably it has to do with the new code.
Best
Joachim
That's what I noticed too Joachim hence the new SQL.php file of two days ago. Just checked and entering a keyword in double quotes does not produce slashes.
Mark
Oops, my bad, I thought that I had replaced your first file, but didn't obviously. No problems any more, thanks!
Joachim
Great.
Mark
Glad to hear it Notis.
Mark