Possible MySQL Injection, any way to prevent this?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Speedy
    Member
    • Oct 2007
    • 34
    • 4.0.x

    [Forum] Possible MySQL Injection, any way to prevent this?

    Today vBulletin sent me the following email (database error) with the title "vBulletin (Upgrade) Database Error":
    Code:
    Database error in vBulletin 4.0.3:
    
    Invalid SQL:
    ALTER TABLE user ADD birthday_search DATE NOT NULL DEFAULT '0000-00-00';
    
    MySQL Error   : Duplicate column name 'birthday_search'
    Error Number  : 1060
    Request Date  : Tuesday, May 25th 2010 @ 10:53:11 AM
    Error Date    : Tuesday, May 25th 2010 @ 10:53:11 AM
    Script        : http://www.techlifezone.com/install/upgrade_300.php?step=1
    Referrer      : http://www.techlifezone.com/install/upgrade_300.php?rand=1274777576
    IP Address    : 122.174.160.230
    Username      :
    Classname     : vB_Database
    MySQL Version : 5.0.90-community
    This looks like some kind of MySQL injection. Is there a way to prevent this? I'm running vBulletin 4.0.3 (forums only). I've blocked the IP address in my server's firewall.

    UPDATE: It appears that the IP address belongs to one of my admins just after the incident occurred (had a different IP before that), but he's unable to perform SQL injections because he only has basic computer knowledge.
    Last edited by Speedy; Tue 25 May '10, 2:08am.
  • Carnage-
    Senior Member
    • Jan 2005
    • 758
    • 3.8.x

    #2
    delete the install directory from your vbulletin installation
    Some of my Mods:
    Advanced IP Ban Manager (vb3.6+ version) - Fine grained control over blocking trouble makers.
    Advanced IP Ban Manager (vb4 version) - Fine grained control over blocking trouble makers.
    Use Original thread for Comments - Uses the original thread for comments for any forum threads promoted to CMS articles.
    Custom Friendly Urls - Allows customisation of forum urls from the admin CP.

    Comment

    • feldon23
      Senior Member
      • Nov 2001
      • 11291
      • 3.7.x

      #3
      Trying to re-run your vBulletin install/upgrade is not a MySQL injection flaw.

      Comment

      • Speedy
        Member
        • Oct 2007
        • 34
        • 4.0.x

        #4
        Originally posted by Carnage-
        delete the install directory from your vbulletin installation
        Thanks for the advice. I thought that I only had to remove the install.php file.

        Originally posted by feldon23
        Trying to re-run your vBulletin install/upgrade is not a MySQL injection flaw.
        I thought it was an injection because it mentioned Invalid SQL.

        Comment

        • Zachery
          Former vBulletin Support
          • Jul 2002
          • 59097

          #5
          He has your customer number and is trying to run the upgrade script, he forceably chose to override the warning saying not to run the script. You only do have to remove install.php.

          Comment

          • Speedy
            Member
            • Oct 2007
            • 34
            • 4.0.x

            #6
            Originally posted by Zachery
            He has your customer number and is trying to run the upgrade script, he forceably chose to override the warning saying not to run the script. You only do have to remove install.php.
            Thanks for the information

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...