You are not logged in. [Log In] UBB.threads PHP Forum Software Community » Forums » UBB.threads 7 Discussion » Bug Reports » search being attacked
Register User    Portal Page     Forum List        Calendar     Active Topics     Search     FAQ
Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online
1 registered (SD), 119 Guests and 10 Spiders online.
Key: Admin, Global Mod, Mod
Featured Member
Registered: 11/24/08
Posts: 20
Top Posters (30 Days)
Ruben 27
Gizmo 22
Bert 18
sb 5
After the Rose 4
hema0359 4
BellaOnline 3
gladiator 3
skicomau 3
UbbLegacyUser 2
Latest Photos
Uhm...
Mayan End of World
Gas Station Disco Video Shoot
Test Pictures
Audrey Kate
Topic Options
#249712 - 07/15/12 11:27 AM search being attacked
Kayjey Offline

member 		Registered: 12/24/03
Posts: 101
Loc: Belgium
I have seen queries to the search engine in the error logs that point to our server being attacked by very long search strings.

INSERT INTO ubbt_SEARCH_RESULTS
(SEARCH_SESSION_ID,SEARCH_WORDS,[...])
VALUES
( '8cfacb698b24bf7b3eff7ec4449a3351' , 'xwkkrgddvl, \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\[...]

In which "\" is repeated a million times.

To be honest I think this is a serious weakness - the software shouldn't allow for any large query string (in this case 50MB+) to be sent to SQL.

So I've tried editing the dosearch.inc.php file to insert a maximum length in the search function and throw back an error "You do not have permission to use the search engine." I hope I have fixed this by doing so:

I have found this on line 431:
Php Code:

		// Make sure they are searching for something
		if (!$Words && !$Name) {
			if (!$excluded) {
				$html->not_right($ubbt_lang['NO_WORDS']);
			}
			else {
				$html->not_right($ubbt_lang['SHORT']);
			}
		}



And added this immediately after it:

Php Code:

		// try and limit the length of the query - KAYJEY
		if (strlen($Words) > 500) {
				$html->not_right($ubbt_lang['NO_SEARCH']);
		}
_________________________
www.straydesign.com
Top
Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
#249713 - 07/15/12 11:38 AM Re: search being attacked [Re: Kayjey]
Kayjey Offline

member 		Registered: 12/24/03
Posts: 101
Loc: Belgium
Please note: changing that code to:

Php Code:

		if (strlen($Words) > 500) {
			$mailmessage = $user['USER_DISPLAY_NAME'] . " - " . strlen($Words);
			mail('yourmailaddress@yourprovider.com', 'Forum search engine abuse', $mailmessage);
				$html->not_right($ubbt_lang['NO_SEARCH']);
		}


you will get an e-mail message with the offending user and the length of his search string. Change the 'yourmailaddress@yourprovider.com' to your own address.
_________________________
www.straydesign.com
Top



Moderator:  AllenAyres, Harold, Ian, Ron M 
Shout Box

Today's Birthdays
No Birthdays
Recent Topics
Marking a topic as 'read' manually
by sw55
04:29 PM
How to add AD island?
by Conrad
01:19 PM
Need to update from 6 to latest: can't until server checked
by Digilady
08:17 AM
Shout Box
by Bert
06/15/13 04:15 PM
Calendar
by Bert
06/15/13 04:11 PM
Forum Stats
11000 Members
36 Forums
33988 Topics
183527 Posts

Max Online: 978 @ 06/24/07 10:19 PM
Random Image
Board Rules · Mark all read
Contact Us · UBBCentral · Top