Odd attack on my forum...

Jaxel

Well-known member
So today I'm looking at the error logs on my forums and I find a lot of this:

Zend_Db_Adapter_Mysqli_Exception: LIMIT argument offset=-40 is not valid - library/Zend/Db/Adapter/Mysqli.php:507
Generated By: Unknown Account, Today at 5:05 AM

Code:
#0 /public_html/library/XenForo/Model.php(243): Zend_Db_Adapter_Mysqli->limit('?????SELECT pro...', 20, 42949672920)
#1 /public_html/library/XenForo/Model/ProfilePost.php(70): XenForo_Model->limitQueryResults('?????SELECT pro...', 20, 42949672920)
#2 /public_html/library/XenForo/ControllerPublic/Member.php(228): XenForo_Model_ProfilePost->getProfilePostsForUserId(12439, Array, Array)
#3 /public_html/library/XenForo/FrontController.php(337): XenForo_ControllerPublic_Member->actionMember()
#4 /public_html/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#5 /public_html/index.php(13): XenForo_FrontController->run()
#6 {main}

Code:
array(3) {
  ["url"] => string(332) "http://8wayrun.com/members/robin.12439/?page=21111111111111+UNION+SELECT+CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45)+--++/*"
  ["_GET"] => array(1) {
    ["page"] => string(287) "21111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45) --  /*"
  }
  ["_POST"] => array(0) {
  }
}

This has me worried. I know XF uses prepared statements to prevent attacks like this; but the error confuses me. It's not an error I would expect to get with a prepared statement. Should I be worried?
 
What is your XF version? I could not reproduce this as Page params always be filtered as UINT, all of sql injection part would never be passed into your SQL query.
 
Yep. Confirm on 1.2. But this is not because of injection string, it is because of out of range for offset value. It does not affect or harm to our DB. Just a error when user request invalid page. But yes, it is good if XF could handle this situation.
 
Top Bottom