Odd attack on my forum...

Jaxel · Aug 8, 2013

So today I'm looking at the error logs on my forums and I find a lot of this:

Zend_Db_Adapter_Mysqli_Exception: LIMIT argument offset=-40 is not valid - library/Zend/Db/Adapter/Mysqli.php:507
Generated By: Unknown Account, Today at 5:05 AM

Code:

#0 /public_html/library/XenForo/Model.php(243): Zend_Db_Adapter_Mysqli->limit('?????SELECT pro...', 20, 42949672920)
#1 /public_html/library/XenForo/Model/ProfilePost.php(70): XenForo_Model->limitQueryResults('?????SELECT pro...', 20, 42949672920)
#2 /public_html/library/XenForo/ControllerPublic/Member.php(228): XenForo_Model_ProfilePost->getProfilePostsForUserId(12439, Array, Array)
#3 /public_html/library/XenForo/FrontController.php(337): XenForo_ControllerPublic_Member->actionMember()
#4 /public_html/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#5 /public_html/index.php(13): XenForo_FrontController->run()
#6 {main}

Code:

array(3) {
  ["url"] => string(332) "http://8wayrun.com/members/robin.12439/?page=21111111111111+UNION+SELECT+CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45)+--++/*"
  ["_GET"] => array(1) {
    ["page"] => string(287) "21111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45) --  /*"
  }
  ["_POST"] => array(0) {
  }
}

This has me worried. I know XF uses prepared statements to prevent attacks like this; but the error confuses me. It's not an error I would expect to get with a prepared statement. Should I be worried?

sonnb · Aug 8, 2013

What is your XF version? I could not reproduce this as Page params always be filtered as UINT, all of sql injection part would never be passed into your SQL query.

Jaxel · Aug 8, 2013

sonnb · Aug 8, 2013

Yep. Confirm on 1.2. But this is not because of injection string, it is because of out of range for offset value. It does not affect or harm to our DB. Just a error when user request invalid page. But yes, it is good if XF could handle this situation.

Odd attack on my forum...

Jaxel

Well-known member

sonnb

Well-known member

Jaxel

Well-known member

sonnb

Well-known member

Similar threads

We value your privacy