Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
3 registered members (mmkk, JAISP, Morgan), 58 guests, and 389 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Ruben
Ruben
Lutz,FL
Posts: 5,827
Joined: December 2003
Show All Member Profiles 
Top Posters(30 Days)
Gizmo 17
M4TT 12
Ruben 8
FREAK 8
mmkk 4
isaac 4
Latest Photos
Chinese Buddhist temple.
My buddha beads.
Rendered Walls
Multi-Screen wallpaper
Stockholm Metro
Previous Thread
Next Thread
Print Thread
SQL injectgion on 6.5 classic #226951
05/31/09 11:06 AM
05/31/09 11:06 AM
Joined: May 2007
Posts: 18
S
SigningsHotline Offline OP
stranger
SigningsHotline  Offline OP
stranger
S
Joined: May 2007
Posts: 18
Hi there:

I am using Classic 6.5.0. I have been receiving "Report A Post" emails with comments in them selling Viagra and diet pills. Smells like SQL injection. A temp fix is to move the post to another area then move it back to the original area and it changes the post number on it. But my question is, does anyone know of a patch that is available to fix this? Either direct from UBB or by an outside developer?

Thank you in advance!

Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
Re: SQL injectgion on 6.5 classic [Re: SigningsHotline] #226952
05/31/09 11:11 AM
05/31/09 11:11 AM
Joined: Dec 2003
Posts: 5,827
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,827
Lutz,FL
HUH????
Classic does not use MySql. It is a flat file system using CGI and PHP for the accelerator.
It sounds more like a spam issue which pops up all the time with classic today


Blue Man Group


There is no such thing as stupid questions. Just stupid answers
Re: SQL injectgion on 6.5 classic [Re: Ruben] #226953
05/31/09 11:18 AM
05/31/09 11:18 AM
Joined: Dec 2003
Posts: 5,827
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,827
Lutz,FL
Just took a quick peek at your site you have report a post enabled on your site. So anyone can send a message including guests to the report a post. The only good part about it is only admins and moderators will get the message.

You could just turn the feature off I guess.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers
Re: SQL injectgion on 6.5 classic [Re: Ruben] #226956
05/31/09 05:26 PM
05/31/09 05:26 PM
Joined: Jun 2006
Posts: 16,788
Portland, OR; USA
Gizmo Offline
UBB.threads Developer
Gizmo  Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 16,788
Portland, OR; USA
Classic wasn't exactly "secure" in the captcha implementation in the latest build; automated bots could easily spam the everloving hell out of the forum...

Fix? UBB.T7 or disable features bots are abusing.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: SQL injectgion on 6.5 classic [Re: Gizmo] #226988
06/02/09 11:32 AM
06/02/09 11:32 AM
Joined: Dec 2003
Posts: 2,046
Texas
AllenAyres Offline
Pooh-Bah
AllenAyres  Offline
Pooh-Bah
Joined: Dec 2003
Posts: 2,046
Texas
At the least update to 6.7.3 - lots of bugs were fixed in there, tho I don't think Charles fixed any SQL injection issues wink


- Allen
- ThreadsDev | PraiseCafe
Re: SQL injectgion on 6.5 classic [Re: AllenAyres] #226990
06/02/09 12:08 PM
06/02/09 12:08 PM
Joined: Jun 2006
Posts: 16,788
Portland, OR; USA
Gizmo Offline
UBB.threads Developer
Gizmo  Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 16,788
Portland, OR; USA
Originally Posted by AllenAyres
ho I don't think Charles fixed any SQL injection issues wink
Lol considering it's not MySQL based, I don't really see how he COULD fix SQL injection issues... let alone how there could be some... That'd be amazing...


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: SQL injectgion on 6.5 classic [Re: Gizmo] #226994
06/02/09 03:51 PM
06/02/09 03:51 PM
Joined: Feb 2007
Posts: 1,318
Pennsylvania
JAISP Online tapedshut
veteran
JAISP  Online Tapedshut
veteran
Joined: Feb 2007
Posts: 1,318
Pennsylvania
I wouldn't sweat it. The classic version is flat file based and there is not as many security issues as many on here let on.

I have been running classic since 1995 and I never had anyone get in my forum and create any problems. I have had others on my servers as well running classic and still have 2 classic boards running on my servers and still no problems.


Re: SQL injectgion on 6.5 classic [Re: JAISP] #226995
06/02/09 04:01 PM
06/02/09 04:01 PM
Joined: Dec 2003
Posts: 5,827
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,827
Lutz,FL
Originally Posted by JAISP

I have been running classic since 1995 and I never had anyone get in my forum and create any problems. I have had others on my servers as well running classic and still have 2 classic boards running on my servers and still no problems.


I agree to a point depending on the classic version.
The real issue was the spamming in my case.
In his case it looks the same.
So options are close the board to guests or just turn off notify posts and give users another avenue if needed. Like a help forum.
Either case if spammers can find a email address they will use it.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers
Re: SQL injectgion on 6.5 classic [Re: Ruben] #226996
06/02/09 06:42 PM
06/02/09 06:42 PM
Joined: Feb 2007
Posts: 1,318
Pennsylvania
JAISP Online tapedshut
veteran
JAISP  Online Tapedshut
veteran
Joined: Feb 2007
Posts: 1,318
Pennsylvania
That's why I use a web form for people contacting me on my web sites. No email given and none known till i reply to the form message.

Also my web form tells me many things about the person sending to me through the forum. This helps in knowing if I need to reply or not.

Re: SQL injectgion on 6.5 classic [Re: JAISP] #227011
06/03/09 04:31 PM
06/03/09 04:31 PM
Joined: May 2007
Posts: 18
S
SigningsHotline Offline OP
stranger
SigningsHotline  Offline OP
stranger
S
Joined: May 2007
Posts: 18
I am writing this with a bag over my head so you won't recognize me as I feel like a fool. I totally forgot this is a flat file and cannot be SQL injection! But it does appear to be a bot and not a human doing it as it keeps hitting the same "repot a post" from 2006.

So if there is no way to add captcha to this feature I will live with it. Moving the thread and then moving it back again is a band-aid fix.

Unless there is a captcha mod out there that anyone is aware of?

Re: SQL injectgion on 6.5 classic [Re: SigningsHotline] #227012
06/03/09 04:37 PM
06/03/09 04:37 PM
Joined: Feb 2007
Posts: 1,318
Pennsylvania
JAISP Online tapedshut
veteran
JAISP  Online Tapedshut
veteran
Joined: Feb 2007
Posts: 1,318
Pennsylvania
You can ban the bot via an .htaccess file if it is the same bot all the time.

Code
order allow,deny
deny from xxx.xxx.xxx.xxx
allow from all

Re: SQL injectgion on 6.5 classic [Re: SigningsHotline] #227013
06/03/09 04:41 PM
06/03/09 04:41 PM
Joined: Dec 2003
Posts: 5,827
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,827
Lutz,FL
The fool is us. I don't recall a true captcha mod for classic but it was discussed several times at ubbdev.com. Somebody did add a Captcha feature with a human question answer feature at some point in time but never followed up on the modification. If they did it was lost in time.

If upgrading is out of the question, then try to use what tools you have at hand.
Such as turn off features that allow bots from harvesting email accounts, close the board to guests, Email verification, Etc.

Other than that you can block by Ip not just by the classic control panel but by .htaccess if it is a repeat offender.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers
Re: SQL injectgion on 6.5 classic [Re: JAISP] #227058
06/05/09 12:05 PM
06/05/09 12:05 PM
Joined: Dec 2003
Posts: 2,046
Texas
AllenAyres Offline
Pooh-Bah
AllenAyres  Offline
Pooh-Bah
Joined: Dec 2003
Posts: 2,046
Texas
Originally Posted by Gizmo
Originally Posted by AllenAyres
ho I don't think Charles fixed any SQL injection issues wink
Lol considering it's not MySQL based, I don't really see how he COULD fix SQL injection issues... let alone how there could be some... That'd be amazing...


umm... my point wink

Originally Posted by JAISP
I have been running classic since 1995


"# First version of UBB created May 7, 1996 (by Ted O'Neill)."

wink


- Allen
- ThreadsDev | PraiseCafe
Re: SQL injectgion on 6.5 classic [Re: AllenAyres] #227068
06/06/09 11:23 AM
06/06/09 11:23 AM
Joined: Feb 2007
Posts: 1,318
Pennsylvania
JAISP Online tapedshut
veteran
JAISP  Online Tapedshut
veteran
Joined: Feb 2007
Posts: 1,318
Pennsylvania
Ok Excuse me then 1996. I had purchased the firs version when they were only out like a few months. I still have the board archived and all of its post's as well. It was on a new site so I went by the Domain Registration date to get close. My Mistake.

Anyway no one really cares, lol.

Re: SQL injectgion on 6.5 classic [Re: JAISP] #227077
06/06/09 06:01 PM
06/06/09 06:01 PM
Joined: Dec 2003
Posts: 5,827
Lutz,FL
Ruben Offline

Ruben  Offline


Joined: Dec 2003
Posts: 5,827
Lutz,FL
Originally Posted by JAISP
Ok Excuse me then 1996. I had purchased the firs version when they were only out like a few months. I still have the board archived and all of its post's as well. It was on a new site so I went by the Domain Registration date to get close. My Mistake.

Anyway no one really cares, lol.

I agree Lockerman.(Sorry Jaisp Just a habit with the name)
Who cares except for the person with the problem.
I would suggest to him as stated by myself, you and others. Use security methods available or start the upgrade process.


Blue Man Group


There is no such thing as stupid questions. Just stupid answers
Re: SQL injectgion on 6.5 classic [Re: Ruben] #227316
06/23/09 12:03 PM
06/23/09 12:03 PM
Joined: Dec 2003
Posts: 2,046
Texas
AllenAyres Offline
Pooh-Bah
AllenAyres  Offline
Pooh-Bah
Joined: Dec 2003
Posts: 2,046
Texas
I actually care... do you still have the free version files from something like v1 or v2? I had them but lost them on some hard drive I can't find anymore frown

For posterity and all... we had it running on ubbdev a few years back but I can't find the files anymore.


- Allen
- ThreadsDev | PraiseCafe

Shout Box
Today's Birthdays
No Birthdays
Recent Topics
Users Unable to Upload Avatar [Not a Bug]
by M4TT. 12/13/17 08:51 AM
Shout Box Sound Effect
by M4TT. 11/29/17 08:28 PM
Ad island
by TGCsanderson. 11/25/17 06:41 PM
Taking to long to connect to DB
by AstroCat. 11/24/17 12:34 PM
Forum Statistics
Forums36
Topics35,015
Posts190,544
Members12,045
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.1
(Snapshot build 20171106)