Admin Tools

Thursday, 29 March 2012 08:47 CDT

user25168

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: 2.5.3
PHP version: 5.3.10
MySQL version: 5.2.X
Host: psmza.anjungilmu.net
Admin Tools version: 2.2.2

Description of my issue:
AdminTools does not stop this..

?forwardie6=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))

This site uses Warp FrameWork from Yootheme.

Using this code to, ?forwardie6='"--> will show Apache Frontpage.

How to fix this

Thursday, 29 March 2012 08:48 CDT

nicholas

This is an SQL injection attack, not an XSS attack. Have you enabled the SQLiShield feature in Configure WAF?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 March 2012 09:03 CDT

user25168

Nick, i was referring to the other one,

?forwardie6='"--></style></script><script>netsparker(0x000007)</script>

Sorry seems that I forgot to use the code features.

the SQLiShield was enable, but still it was not stop.
How to stop this?

Thursday, 29 March 2012 09:10 CDT

nicholas

Regarding the XSS code, when I try it on my test servers I get a 403 page because I am using the .htaccess Maker which prevents that code from working.

Regarding the SQL injection, well, you can't have a 100% protection. We both know that this is an SQL injection because we are humans and we do fuzzy pattern matching. If you try to do that at the server level you will either have something dead slow or something which will throw a lot of false positives. It's just one of the edge cases which can't be caught.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 29 March 2012 09:22 CDT

user25168

I was suspecting this is due to yootheme Warp Framework.

About the XSS, what I do now is I just redirect the Apache Welcome Page to index.php, which is not found. So I think that is just a temporary solution.

But I have no Idea to prevent the SQLi.

Is there any suggestions to prevent this two?

Thursday, 29 March 2012 09:23 CDT

nicholas

Regarding the XSS, you can use the .htaccess Maker to generate a .htaccess. That's all there is to it.

Regarding the SQLi, apart from writing your own redirection rule to catch this particular case, I can't think of any other way to do it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 30 March 2012 08:59 CDT

user25168

Tq Nick, already solve the SQLi case by using this code..

RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC]
RewriteRule (.*) - [F]

Thanks

Friday, 30 March 2012 09:04 CDT

nicholas

Just a heads up. This is similar to the SQLi detection code I was using before writing Admin Tools 1.x (right now I'm using the third generation of my SQLi detection regex in Admin Tools). The major problem is that it throws too many false positives. For example, writing "I have to update this" matches this regex, because space is not a character from a-z. If you don't expect your users to input free text (e.g. use a forum) on your site, that RegEx will work. With free text, however, you're in for trouble.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 30 March 2012 09:09 CDT

user25168

For the time being, this site does not use any forum whatsoever. Until the webdesigner found another alternative for Yootheme warp framework, which use forwardie6, then I think it is ok for the moment.

But I will always looking for another alternative to stop the SQLi from my website.
Tq

Friday, 30 March 2012 11:51 CDT

nicholas

One other thing you could do is to turn off the IE6 warning message and create a RewriteRule to throw a 403 when the forwardie6 query parameter is present in the URL. IE6 is a tiny percentage of the web; I don't think many people will notice if you don't offer them a warning about the need to upgrade their browsers :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support

#11760 AdminTools does not stop xss

This is a public ticket

Environment Information

Thursday, 29 March 2012 08:47 CDT

Thursday, 29 March 2012 08:48 CDT

Thursday, 29 March 2012 09:03 CDT

Thursday, 29 March 2012 09:10 CDT

Thursday, 29 March 2012 09:22 CDT

Thursday, 29 March 2012 09:23 CDT

Friday, 30 March 2012 08:59 CDT

Friday, 30 March 2012 09:04 CDT

Friday, 30 March 2012 09:09 CDT

Friday, 30 March 2012 11:51 CDT

Please wait

Support Information