SQL Injection issue

Post

Posted
Rating:
#5364 (In Topic #1225)
Avatar
Standard member
Ennea is in the usergroup ‘Fan in action’

could not post it in the tracker

I tried to post this in the tracker, but got this message:

APPLICATION ERROR #2800

Invalid form security token. This could be caused by a session timeout, or accidentally submitting the form twice.

Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.
Issue description:

Last night, while posting in my forum and shortly after receiving an notice from Composr about inserting auto-saved content (I selected "no"), I lost access to my entire hosting account - my 2 domains and control panel. When I contacted support, they discovered that my IP had been blocked. This is a partial quote for the reason:

"IM360 WAF: Detects conditional SQL injection attempts||MVN:cms_autosave_&2Fforum&2Findex_php&3Fpage&3Dtopics&26type&3Dnew_topic&26id&3D10&3Apost="

The rest of the post that I didn't include pertains to guild stuff for a MMORPG game, so I doubt it's relevant here.

I am using the latest version of Composr ( 10.0.21). 

Steps to reproduce:

I really don't know every step that triggered this and am afraid to try as I'd rather not lose access to my hosting account for hours again.

Compose a post in the forum or a Comcode page and let it auto-save.
Online now: No Back to the top

Post

Posted
Rating:
Item has a rating of 5 (Liked by Ennea)
#5365
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
Hi,

Thanks for reporting.

This isn't actually a vulnerability, it's a false-positive from a web application firewall being overly strict.
The logged 'SQL' it is seeing doesn't even look like SQL.

I'll take a look at this IM360 rule when I can, and perhaps produce a workaround – but your web host has a responsibility to tune or disable the rule, because it's a restriction they're imposing which isn't part of any kind of standard or part of the software stack Composr is programmed to, and presumably not a restriction they are advertising on their terms and conditions etc.

The tracker will produce a security token if the post form was open a long time. Maybe I can tweak the timeout.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: No Back to the top

Post

Posted
Rating:
#5366
Avatar
Standard member
Ennea is in the usergroup ‘Fan in action’
Thank you for the prompt reply and info, Chris!
Online now: No Back to the top

Post

Posted
Rating:
Item has a rating of 5 (Liked by Ennea)
#5374
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
Workaround in Workaround web application firewall false alarm on autosave cookie · ocproducts/composr@1746f62 · GitHub

You may want to clear any existing cookies out from your site manually, in your web browser's developer tools. As this issue is on the naming of cookies which may still exist.

The fix changes how we name the cookies a little, stripping out special symbols the WAF thinks are hack-attempts.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: No Back to the top
1 guest and 0 members have just viewed this.

Statistics

Users online:

ooblek, John Connor, gabriel58, ironfeather, deepu_ms, amit.nigam, Vaiva, Philip, 156 guests

Forum statistics:
  • 1,011 topics, 4,832 posts, 5,682 members
  • Our newest member is mav
Birthdays:
Back to Top