Through bug reports from our users we have found a potential vulnerability in CommunitySEO that when exploited may allow a malicious user to perform a limited SQL injection on your site (IPB filters UNION and sub-select queries). The scope of the attack is very limited and no such attacks have been reported to date. Nevertheless, we pledge to patch all reported and confirmed security issues as soon as we are notified and as a result we are releasing 1.1.4 P1.

To upgrade, download the main package from your client area and upload only the ipb_seo.php file in your root forum directory. No other action is required (you do not need to run the upgrader).

So easy, Thanks for Security update!

Dan and I researched this a bit more and wanted to point out that IPB already provides some strong protections against SQL injection. For example, UNION and sub-select queries are filtered, and as a result it is extremely unlikely any sensitive data could be obtained. Still, we would never want to leave a potential issue sitting unreported and unresolved.

Indeed, We know the post may come off as doomsday, but thats only because we want to release updates for anything even if its a "one in a million chance" - we want all bases covered.

Someone might be attempting to exploit what this patch fixes from the looks of my logs.

I estimate about 30 hits in serveral mins from many hosts that look like this.



I've managed blocked any such future requests by blocking the refer. This is the second such attack in a week on my site using the same code found at http://rundude.pop3.ru/body?

Well, in order for them to trigger the error, you'd have to see special characters (quotes and such) in the referrer. Even then, as stated before, it's highly unlikely they'd get anywhere, because IPB blocks all the normal avenues a hacker would take (sub-select or union-select query).

Nevertheless, to be safe I'd just upload the ipb_seo.php file currently in the client area downloads section. It only takes a second to do.

I did was just letting you get a look at the attack code some was trying to use on the site.

They are using communityseo ipb_seo.php as a tinyurl of sorts, redirecting zombies or users to go to ipb_seo.php?url=blah

I will talk to admin about the possibility of allowing users to rename the ipb_seo.php file @ will via configs.

Its strange, because we also had hundreds of users requesting the url over and over again and we couldnt figure out why.

I'm getting hammered in the same way - how did you block the refer, please?

Also, I tried uploading the file mentioned at the start of this thread and it crashes my board with the follwing error:



Any ideas, anyone?

tia,

Elton

If you're getting that error it means ioncube isn't installed. Try uploading the included ioncube folder, but if that fails you'd need to contact your host and ask them to install ioncube.

In all honesty, you should have been getting errors all along if you are getting that error now.

That's just it - afaik, Ioncube *is* installed. It's my own server and Ioncube had to be installed before we added your software originally. I'll ask a techy friend to confirm the state of play.

Any advice regarding this rundude.pop3.ru issue? I've Googled it and it appears that it may relate to Community SEO.

atb,

Elton

Alright guys, here's a quick and easy "fix" for whoever is doing this.

By the way, if you google the URL they're not attacking CommunitySEO specifically. I see attacks against Mamba logged elsewhere too. I've gone over the code in question in great detail the last 2 days and determined there is nothing to worry about on CommunitySEO's end (we take the URL, log the request, and redirect you, and that's about it).

This .htaccess rule will block the request sending a 403 error (if that specific url is requested)



Just add the code to your forums .htaccess file right at the top of the file below RewriteBase.



Feel free to try the link here to confirm it's Forbidden.

I am having to clean dozens of that crap out every day now.

See my post above. The .htaccess rule should block them before the php script even runs.

Seems to have worked for me

Any idea what they would have been achieving by doing whatever it is they were doing?

Nothing really. The page they are linking to is an exploit, but CSEO isn't exploitable in this area so I think they're just poking right now trying to see if they can find a problem. Ultimately all they acheive is a typical DOS attack, which you can't protect from at the script level effectively.

Thanks. They appear to have gone away on their own after my previous post.

Na he switched urls, hit me again from http://holengirl.eclub.lv/images/me?

Already emailed upstream providers and added following to my .htaccess right under line provided by admin.



Edit:

And added following IP blocks to my deny list as theres no reason for a server from the planet to be querying my server anyway.



This post has been edited by twistedgamer: Feb 1 2008, 08:57 PM

If his server is at the planet you can probably contact the planet - they're a big host and are based in the US, so would likely respond to a complaint such as this.

I did. Hopefully they pull the box off line soon.

Got hit again today from the old website from this ip block


Emailed them and there up stream.

This person is persistent thats for sure.