Previous Thread
Next Thread
Print Thread
Hop To
Joined: Oct 2007
Posts: 464
Likes: 11
Addict
Addict
Joined: Oct 2007
Posts: 464
Likes: 11
I'm seeing this in our logs:
Code
2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%27%29%29%29%2F%2A%2A%2FaNd%2F%2A%2A%2F8301%2F%2A%2A%2FBeTWEEn%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2FaNd%2F%2A%2A%2F%28sELEcT%28CAsE%2F%2A%2A%2FwhEN%2F%2A%2A%2F%288301%3D8301%29%2F%2A%2A%2FthEn%2F%2A%2A%2F8301%2F%2A%2A%2FelSe%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2F1586%2F%2A%2A%2FuniON%2F%2A%2A%2FsELEcT%2F%2A%2A%2F2377%29%2F%2A%2A%2FenD%29%29--%2F%2A%2A%2Fpkgf&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3206 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%%27%2F%2A%2A%2FAnd%2F%2A%2A%2F2508%2F%2A%2A%2FbetWEEn%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2FAnd%2F%2A%2A%2F%28SELeCt%28CasE%2F%2A%2A%2FWHEn%2F%2A%2A%2F%282508%3D4408%29%2F%2A%2A%2FtHen%2F%2A%2A%2F2508%2F%2A%2A%2FElsE%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2F4408%2F%2A%2A%2FuniON%2F%2A%2A%2FSELeCt%2F%2A%2A%2F5903%29%2F%2A%2A%2FENd%29%29--%2F%2A%2A%2FBkhs&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3203 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
Here's what it looks like decoded:
Code
2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat')))/**/aNd/**/8301/**/BeTWEEn/**/(sELEcT/**/aNd/**/(sELEcT(CAsE/**/whEN/**/(8301=8301)/**/thEn/**/8301/**/elSe/**/(sELEcT/**/1586/**/uniON/**/sELEcT/**/2377)/**/enD))--/**/pkgf&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4 barrel carb&topic=0&Search=true HTTP/1.1" 200 3206 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%'/**/And/**/2508/**/betWEEn/**/(SELeCt/**/And/**/(SELeCt(CasE/**/WHEn/**/(2508=4408)/**/tHen/**/2508/**/ElsE/**/(SELeCt/**/4408/**/uniON/**/SELeCt/**/5903)/**/ENd))--/**/Bkhs&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4 barrel carb&topic=0&Search=true HTTP/1.1" 200 3203 "https://www.stovebolt.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
Would there ever be a legitimate reason to have a select in the query string? I ask because if not, I'm going to block it in the .htacess file.


The Stovebolt Geek
https://www.stovebolt.com/ubbthreads/ubbthreads.php

Server Information
UBB.threads Version 8.0.0
Release 20240826
Server OS Linux
Server Load 0.11
Web Server Apache/2.4.37
PHP Version 8.3.11
MYSQL Version 8.0.39
Database Size 1.82 GB
Joined: Apr 2004
Posts: 1,974
Likes: 154
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,974
Likes: 154
What is your reasoning for not using Friendly URLs?

Quote
Enabling Friendly URLs will generate URLs that are easy to read and include words that describe the content of the webpage. This allows most search engines to easily crawl your forum, and also allows for specially formatted URLs.

Secondly, if you refuse certain words processing on your domain, you may also be blocking ligetiment links that contain those phrases, such as ones that are contained in discussion topics or user names.

Site logs are primarily meant for site admins to use as a tools for debugging and adjusting site issues, as well as for reporting site actions.

in this case, you may be better off with finding who the offender is thats attempting to bypass your forums naturally generated URLs, and blocking them by absolutele IP address if its frequent occurrence over a period of time


current developer of UBB.threads php forum software
current release: UBB.threads 8.0.0 // wip: UBB.threads 8.0.1
isaac @ id242.com // my forum @ CelicaHobby.com
Joined: Oct 2007
Posts: 464
Likes: 11
Addict
Addict
Joined: Oct 2007
Posts: 464
Likes: 11
We are using friendly URLs. For example (from our logs):
Code
52.167.144.231 - - [01/Oct/2023:17:37:41 -0400] "GET /ubbthreads/ubbthreads.php/topics/1517985/what-the-heck-do-i-have-canada.html HTTP/1.1" 200 10777 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36"

I prefer not to block IPs because attackers will change IPs when blocked.

My question was is there ever a legitimate reason to have a select in a query string? I would think not. But I wanted to verify with the developers. AFAIK you will only find select statements in the php files that do the processing of queries sent from a browser.


The Stovebolt Geek
https://www.stovebolt.com/ubbthreads/ubbthreads.php

Server Information
UBB.threads Version 8.0.0
Release 20240826
Server OS Linux
Server Load 0.11
Web Server Apache/2.4.37
PHP Version 8.3.11
MYSQL Version 8.0.39
Database Size 1.82 GB
Joined: Apr 2004
Posts: 1,974
Likes: 154
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,974
Likes: 154
Correct, AND when used for Friendly URLs where ther letters "select" are used for common English words, such as selection, selecting, selector, selected, and select, among others.

as for the exact use of SQL selects appearing in URLs - no, for UBB.threads they only exist within with main PHP scripts. SQL queries never are used in the URLs.


current developer of UBB.threads php forum software
current release: UBB.threads 8.0.0 // wip: UBB.threads 8.0.1
isaac @ id242.com // my forum @ CelicaHobby.com
Joined: Oct 2007
Posts: 464
Likes: 11
Addict
Addict
Joined: Oct 2007
Posts: 464
Likes: 11
Thank you for confirming that. I can use multiple rewriteconds to catch SQL injection without tripping on legitimate words like selection in URLs So, for example
Code
RewriteCond select [NC]
RewriteCond union [NC]
RewirteCond else [NC[
RewriteRule  ^(.*)$ - [F,L]
would reject any sql injection attempt that uses select AND union AND else but would not match on select only

Last edited by Baldeagle; 10/07/2023 12:45 PM.

The Stovebolt Geek
https://www.stovebolt.com/ubbthreads/ubbthreads.php

Server Information
UBB.threads Version 8.0.0
Release 20240826
Server OS Linux
Server Load 0.11
Web Server Apache/2.4.37
PHP Version 8.3.11
MYSQL Version 8.0.39
Database Size 1.82 GB
Joined: Apr 2004
Posts: 1,974
Likes: 154
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,974
Likes: 154
SQL injection is already handled within the code by specific php calls, regex, and other means. There is nothing from the url that touches the database without first being cleaned in some manor. and even then, the software uses its own means to trigger SQL interactions, rather than relying on what is coming from URLs.


current developer of UBB.threads php forum software
current release: UBB.threads 8.0.0 // wip: UBB.threads 8.0.1
isaac @ id242.com // my forum @ CelicaHobby.com

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Profile avatar storage settings
by SenecaFlyer - 12/05/2024 1:24 PM
Not allowing attachment over 2m
by ehill - 12/03/2024 3:16 PM
New Admin Here
by SenecaFlyer - 12/02/2024 4:14 PM
Who's Online Now
2 members (Ruben, Gizmo), 783 guests, and 92 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.1
(Snapshot build 20240918)