|
Joined: May 2007
Posts: 18
stranger
|
stranger
Joined: May 2007
Posts: 18 |
Hi there:
I am using Classic 6.5.0. I have been receiving "Report A Post" emails with comments in them selling Viagra and diet pills. Smells like SQL injection. A temp fix is to move the post to another area then move it back to the original area and it changes the post number on it. But my question is, does anyone know of a patch that is available to fix this? Either direct from UBB or by an outside developer?
Thank you in advance!
|
|
|
|
Joined: Dec 2003
Posts: 6,629 Likes: 85
|
Joined: Dec 2003
Posts: 6,629 Likes: 85 |
HUH???? Classic does not use MySql. It is a flat file system using CGI and PHP for the accelerator. It sounds more like a spam issue which pops up all the time with classic today
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Dec 2003
Posts: 6,629 Likes: 85
|
Joined: Dec 2003
Posts: 6,629 Likes: 85 |
Just took a quick peek at your site you have report a post enabled on your site. So anyone can send a message including guests to the report a post. The only good part about it is only admins and moderators will get the message.
You could just turn the feature off I guess.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Jun 2006
Posts: 16,367 Likes: 126
|
Joined: Jun 2006
Posts: 16,367 Likes: 126 |
Classic wasn't exactly "secure" in the captcha implementation in the latest build; automated bots could easily spam the everloving hell out of the forum...
Fix? UBB.T7 or disable features bots are abusing.
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
At the least update to 6.7.3 - lots of bugs were fixed in there, tho I don't think Charles fixed any SQL injection issues
|
|
|
|
Joined: Jun 2006
Posts: 16,367 Likes: 126
|
Joined: Jun 2006
Posts: 16,367 Likes: 126 |
ho I don't think Charles fixed any SQL injection issues Lol considering it's not MySQL based, I don't really see how he COULD fix SQL injection issues... let alone how there could be some... That'd be amazing...
|
|
|
|
Joined: Feb 2007
Posts: 1,294 Likes: 2
Veteran
|
Veteran
Joined: Feb 2007
Posts: 1,294 Likes: 2 |
I wouldn't sweat it. The classic version is flat file based and there is not as many security issues as many on here let on.
I have been running classic since 1995 and I never had anyone get in my forum and create any problems. I have had others on my servers as well running classic and still have 2 classic boards running on my servers and still no problems.
|
|
|
|
Joined: Dec 2003
Posts: 6,629 Likes: 85
|
Joined: Dec 2003
Posts: 6,629 Likes: 85 |
I have been running classic since 1995 and I never had anyone get in my forum and create any problems. I have had others on my servers as well running classic and still have 2 classic boards running on my servers and still no problems. I agree to a point depending on the classic version. The real issue was the spamming in my case. In his case it looks the same. So options are close the board to guests or just turn off notify posts and give users another avenue if needed. Like a help forum. Either case if spammers can find a email address they will use it.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Feb 2007
Posts: 1,294 Likes: 2
Veteran
|
Veteran
Joined: Feb 2007
Posts: 1,294 Likes: 2 |
That's why I use a web form for people contacting me on my web sites. No email given and none known till i reply to the form message.
Also my web form tells me many things about the person sending to me through the forum. This helps in knowing if I need to reply or not.
|
|
|
|
Joined: May 2007
Posts: 18
stranger
|
stranger
Joined: May 2007
Posts: 18 |
I am writing this with a bag over my head so you won't recognize me as I feel like a fool. I totally forgot this is a flat file and cannot be SQL injection! But it does appear to be a bot and not a human doing it as it keeps hitting the same "repot a post" from 2006.
So if there is no way to add captcha to this feature I will live with it. Moving the thread and then moving it back again is a band-aid fix.
Unless there is a captcha mod out there that anyone is aware of?
|
|
|
|
Joined: Feb 2007
Posts: 1,294 Likes: 2
Veteran
|
Veteran
Joined: Feb 2007
Posts: 1,294 Likes: 2 |
You can ban the bot via an .htaccess file if it is the same bot all the time.
order allow,deny
deny from xxx.xxx.xxx.xxx
allow from all
|
|
|
|
Joined: Dec 2003
Posts: 6,629 Likes: 85
|
Joined: Dec 2003
Posts: 6,629 Likes: 85 |
The fool is us. I don't recall a true captcha mod for classic but it was discussed several times at ubbdev.com. Somebody did add a Captcha feature with a human question answer feature at some point in time but never followed up on the modification. If they did it was lost in time.
If upgrading is out of the question, then try to use what tools you have at hand. Such as turn off features that allow bots from harvesting email accounts, close the board to guests, Email verification, Etc.
Other than that you can block by Ip not just by the classic control panel but by .htaccess if it is a repeat offender.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
ho I don't think Charles fixed any SQL injection issues Lol considering it's not MySQL based, I don't really see how he COULD fix SQL injection issues... let alone how there could be some... That'd be amazing... umm... my point I have been running classic since 1995 "# First version of UBB created May 7, 1996 (by Ted O'Neill)."
|
|
|
|
Joined: Feb 2007
Posts: 1,294 Likes: 2
Veteran
|
Veteran
Joined: Feb 2007
Posts: 1,294 Likes: 2 |
Ok Excuse me then 1996. I had purchased the firs version when they were only out like a few months. I still have the board archived and all of its post's as well. It was on a new site so I went by the Domain Registration date to get close. My Mistake.
Anyway no one really cares, lol.
|
|
|
|
Joined: Dec 2003
Posts: 6,629 Likes: 85
|
Joined: Dec 2003
Posts: 6,629 Likes: 85 |
Ok Excuse me then 1996. I had purchased the firs version when they were only out like a few months. I still have the board archived and all of its post's as well. It was on a new site so I went by the Domain Registration date to get close. My Mistake.
Anyway no one really cares, lol. I agree Lockerman.(Sorry Jaisp Just a habit with the name) Who cares except for the person with the problem. I would suggest to him as stated by myself, you and others. Use security methods available or start the upgrade process.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
I actually care... do you still have the free version files from something like v1 or v2? I had them but lost them on some hard drive I can't find anymore For posterity and all... we had it running on ubbdev a few years back but I can't find the files anymore.
|
|
|
2 members (Ruben, SenecaFlyer),
929
guests, and
67
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|