Icy Phoenix

Is this an injection into the knowledge base? I think the best thing is remove knowledge base scripts if you don't use it ;)

moreteavicar wrote: [View Post]

Is this an injection into the knowledge base? I think the best thing is remove knowledge base scripts if you don't use it ;)

Good idea :wink: , i have do it now.
so, i can´t find the log to that entry jojo
surely was an atack from any scripting kiddie

thank for the answer

If I recall there were a number of possible injections into knowledge base, but I think they are patched - so possibly when they tried to do it, it triggered the private message, but they weren't actually able to insert the message in knowledge base?

Sometimes this sort of thing is actually done by a bot - the way to tell is look at your server's raw logs. Look for any tell-tale signs, like trying to access knowledgebase. If all you see is a couple of lines directly attempting to insert into the script, and not a load rows of text for the same IP, each one relating to a different part of your webpage (such as images, stylesheets and so on), then the webpage wasn't even loaded, it was just an attempt by a bot to insert via URL string. Often bot creators try and spoof browsers, its easy to create a c++ application that trawls the web and give false header info - indeed even mozilla can be tweaked to declare itself as IE - this used to be necessary a couple of years ago when a lot of site content was deliberately made MS-only (maybe not the developers themselves, but because they used MS web packages, often based on shoddy asp).

This is a guess, since I've never used/inspected knowledge base, but the attempt might not be detected by cracker tracker because it might be a legitimate query string normally used by the mod to send data, you couldn't put that query in the cracker tracker search pattern because it would stop legitimate users. If the data doesn't exist in your knowledge base, then that means its secure, and what we have now is a bug in the message management system, sending messages without checking that the data is actually in your database... just a guess mind you ;)

Perhaps to rule it out, did you check your database and find anything in there?

Understood, the unique trouble is that there is not any user with that name (hpruleb)
this means that ¿how may be a legitimate post request if there is not any known user?
im so nervius for this question.

For now i've quit the post.
But i put the info cause i think you must be informed...

Is not a critical fact but, must be explained...

Greetz and thanks for the explanation moreteavicar

I don't think it is an injection... did you check your KB permissions?

Are you sure that guests cannot post there?

Mighty Gorgon wrote: [View Post]

I don't think it is an injection... did you check your KB permissions?

Are you sure that guests cannot post there?

I did check that and the guest cannot post on the kb.
like i said, there is no a user with that name, but the image appear like if where, so.

i think that is an old problem that have being happen on various forums...
so thanks again, and if this result an true sql injection is one point for me jejejeje

I have looking for posibles sql sintax in milw0rm and related sites but there is nothing of importance...
so thanks again, i hope this would be an falsa alarm

Change permissions and there are problems.


:wink:

grga wrote: [View Post]

Change permissions and there are problems.


:wink:

:guns: are you the boy? :LOL:
But in my ACP the guest cannot post...

Well thanks, now i knoe what is the problem...

Thanks to all people that post in this topic...

Gretz to all!!! :kid:

I pray for nothing.
:wink: