XF 2.2 SQL Injection Warnings

Bonsai Coder

Bonsai Coder

Active member
Some of my users report that when posting a long response (or taking a long time to type a response) they will sometimes get locked out of the site for an hour... after which they are allowed to return and everything runs as normal.

Looking into my server, I have ModSecurity enabled, and see a lot of "Rule 300016: Generic SQL injection protection" hits.

Here is an example:
Request: POST /threads/satsuki-repot.45070/draft

Action Description: Access denied with code 500 (phase 2).

Justification: Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\(.*from)" at ARGS:message_html.
Click to expand...
The same hits are being triggered several times by the same user trying to "post" or "edit" the same content:
Request: POST /threads/satsuki-repot.45070/add-reply

Action Description: Access denied with code 500 (phase 2).

Justification: Pattern match "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\(.*from)" at ARGS:message_html.
Click to expand...
Now I can just disable ModSecurity... but I'd like to try to understand these SQL injection warnings. Are they false positives? Or is there a real security risk?
 
Sort by date Sort by votes
Hmm ... message_html ist der field for the editor content, eg. the post/message itself.
Would be quite interesting to know the full string the was submitted.
 
Upvote 0 Downvote
Yes would be interesting to see more. message_html in its raw format doesn’t go anywhere near the database as it is rendered to BB code before writing so very likely to be a false positive though I wonder if they are at least trying for potential vectors that way.

Alternatively someone could just be trying to post a SQL code snippet. Does that potentially match up with content someone might post on your forum @Bonsai Coder?
 
Upvote 0 Downvote
Definitely not posting SQL - just a ton of quotes and responses to posts. The only thing I can think of would be the use of "@" in the post to reference a user(?)

I wasn't able to replicate the issue until yesterday, and then it occurred when I was truly doing nothing more than responding to a post. I responded, and then went in and edited my post a couple of times, and then when I tried to repost I found myself locked out of my own site; the firewall had blocked my IP :)
 
Upvote 0 Downvote
Ok so at the risk of reading too much gardening info, here is text that will trigger the firewall hit if sent as a complete unit via PM:

Has it really be in there for 5 years? That's a really long time, especially for a mix of that type. Keeping it in there is also a type of risk. Since it is late winter for you it is dormant.

I may have said the thing about 'i've read somewhere that some don't take to Kanuma easily when grown in the ground'. But if you mean me, then you misunderstood me. I was talking specifically about new cultivar. And that a genetic flaw that a new cultivar may have is that they don't do well under certain conditions.

Whatever you have was likely selected in Japan for doing well as a bonsai in kanuma. We can have another debate about if a plant that has exceptional vigor in kanuma in Japan will have the same exceptional vigor when in peat in Europe, NA or NZ.

This likely is going into another training pot? Hard for me to judge how much it did grow as you say you pruned it heavily and it is winter now. I think I would put it in a shallow training pot with 50-50 kanuma-ericacious mix. I feel this is a safer option. The larger the pot, the easier it is to water properly, the less important having 100% kanuma is.



I would find a shallower pot with maybe only a slightly smaller diameter. Make sure it has very good draining holes. Not just one tiny hole. Plastic nursery pots show the proper amount of drainage holes. Terracotta pots never have, unless they are bonsai pots from Japan. Put a layer or large grain kanuma in the bottom would be best, but optionl. Then mix 50-50 ericacious mix and normal size kanuma. Put a layer on top of the large drainage kanuma. Then take your azalea out of the pot it is in now and look at the roots. You think it is not pot bound? I would say that it probably isn't. So then try to wash away old soil with water. If it is pot bound, rake open the rook ball. Then place it in the new pot and make sure your roots are at the right level. You will only be adding a very shallow layer of mix on top of your roots, so that you can no longer see the roots. Not more. If you were planting a nursery azalea in your garden, you would actually keep the root ball a cm above the soil layer and then put mulch up to the top of the rootball to keep the top roots cool.

This youtube channel has many videos of azalea bonsai being repotted. Most of them are 50 years old and go back into bonsai pots. So there is a lot of root pruning to maintain or develop nebari, that you could skip.



https://www.youtube.com/channel/UC1rEamX-tmBE6ZbqDe2IVdQ



Think about how you could be harming it by repotting it? I think you said that frost risk is over. It is dormant right now. You aren't going to be taking away a lot of roots either. And if it turns out it does have a lot of roots and it does need some root ball raking. Think about how much leaves it has right now vs how much roots. And about how much water it will be needing. These are the summer leaves that it keeps during winter. These are specialized to not lose a lot of moisture in case the plant freezes solid and cannot take up any water.

As for whether to repot it nor or in two weeks, I don't know your climate. The most perfect timing would be to do it just before the roots start to grow. But if you can't hit that perfect timing, doing it a week too early is better than doing it a week after the roots started growing. Because then you maybe cutting or damaging newly grown roots. And note that roots start growing earlier than the first sign of new buds.
Click to expand...
If this text is split into two sections, and each section is sent separately, it does not appear to trigger the security alert.
 
Upvote 0 Downvote
Just to close this thread in case someone has the same issue. It was a single firewall rule in mod_sec that was causing the false positives. When that one rule was whitelisted, the errors disappeared. Any combination of text, followed by the letters "select" followed by any combination of text, followed by the letters "from" would trigger the error. For example:

"The best selection of frommage is found in France" would trigger the firewall - and five attempts to post it would get you an IP block.
 
Last edited:
Upvote 0 Downvote
That's quite amusing. Thanks for the update. We often don't get as much detail when an issue is triggered by mod_security or similar so to have a bit of closure on it is interesting.
 
Upvote 0 Downvote
domain .com /?query=query%25%27+AND+3667%3D8756%2516




this is a sql injection vulnerability no one listens to me at all i am using xenforo 2.1
is this a known vulnerability which is fixed?
 
Upvote 0 Downvote
There is no functionality within XenForo that would allow you to arbitrarily pass SQL into a URL, have that parsed and be executed as a MySQL query.

If this “pentester“ was legitimate they would be able to provide a proof of concept to demonstrate the issue. I highly doubt they can.

I hope this isn‘t a service you’re paying for…
 
Upvote 0 Downvote
Just an FYI, here is a list of Mod Security Rules that I found were often falsely triggered and needed to be disabled for either XenForo or WordPress sites.

Code: 
300006 - triggered when url has ".../", url would return a 500 server error, turning off rule url gives a 404 error as it should
300014 - triggered when adding new resources to download (XenForo)
300015 - triggered when adding new resources to download (XenForo)
300016 - triggered when adding new resources to download (XenForo)
332039 - blocked Google IPs from getting robots.txt file
340162 - unable to upload or save resources (XenForo)
340163 - unable to upload or save resources (XenForo)
933100 - unknown
933150 - unknown
941160 - unable to save page edits (WordPress)
949110 - unable to save page edits (WordPress)
980130 - unable to save page edits (WordPress)
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

B
XF 2.2 $finder sql injection question
Replies
2
Views
484
briansol
B
H7ML
  • Locked
  • Question Question
SQL Injection Protection
Replies
1
Views
1K
Paul B
Paul B
NandorHUN
  • Question Question
XF 2.2 What's the best way to manage two user groups in a forum? (Multiple solutions: which one is the best? )
Replies
7
Views
893
NandorHUN
NandorHUN
Brad Padgett
  • Question Question
How Safe Are you From SQL Injection Without Mod Security on Xenforo 2?
Replies
15
Views
3K
bevans84
B
abdfahim
XF 2.0 Is it a safe approach to avoid SQL injection?
Replies
1
Views
784
Chris D
Chris D
Top Bottom