Author Topic: SQL Injection vulnerability  (Read 3744 times)

Mallepree

  • Guest
SQL Injection vulnerability
« on: February 27, 2016, 11:20:41 AM »
Sorry... but WBCE definitively is NOT WebsiteBaker.

As the development of WBCE took place from the beginning without any consultation with WB, it's no longer guaranteed that all functions and files are compatible.

Therefore, I must strongly warn to use patches from third-party software. 

Only yesterday we were designated in the WBCE forum as a liar when we gave out a security alert here.
This behavior is certainly not a basis for a fairly cooperation.

Manuela
« Last Edit: February 27, 2016, 01:08:44 PM by DarkViper »

Offline Tez Oner

  • Posts: 257
  • "...it's possible..."
    • VA-MDS / MMO | communications
Re: SQL Injection vulnerability
« Reply #1 on: February 27, 2016, 08:52:54 PM »
Do I understand it correctly the SQL Injection Fix zip-file can be installed as an Addon?
Or manually by FTP?

Cheerz,

Tez Oner
Tez | VA-MDS / MMO | communications
--------------------------------------------
info@va-mds.com / http://va-mds.com

Offline jacobi22

  • Posts: 5863
  • Gender: Male
  • Support also via PM or EMail
    • Jacobi22
Re: SQL Injection vulnerability
« Reply #2 on: February 27, 2016, 10:13:56 PM »
Do I understand it correctly the SQL Injection Fix zip-file can be installed as an Addon?
Or manually by FTP?


manually by FTP

see readme:
Step 1
- Upload all the files into the coresponding directories on your Webspace


P.S: the in this package included folder install is not needed, also the config.php.new
Wer nicht will, findet Gründe, wer will, findet Wege.

Offline Tez Oner

  • Posts: 257
  • "...it's possible..."
    • VA-MDS / MMO | communications
Re: SQL Injection vulnerability
« Reply #3 on: March 16, 2016, 11:32:54 PM »
Hey,

got this error trying to run the upgrade script:

Code: [Select]
There was an uncatched exception: Unknown MySQL server host 'mysql02:3306' (2) in line (51) of (/framework/class.database.php)
Any ideas, tried it serveral times, but error keep showing up.


Cheerz,

Tez Oner
Tez | VA-MDS / MMO | communications
--------------------------------------------
info@va-mds.com / http://va-mds.com

Offline jacobi22

  • Posts: 5863
  • Gender: Male
  • Support also via PM or EMail
    • Jacobi22
Re: SQL Injection vulnerability
« Reply #4 on: March 17, 2016, 06:17:42 PM »
looks for me like a old module, that use a mysql-function instead of mysqli (maybe mysql_connect) in the file "upgrade.php" of this module
you can start the manual upgrade from all your used non-core-modules (not delivered with the SP-Package), to found the troublemaker
Wer nicht will, findet Gründe, wer will, findet Wege.

Offline Tez Oner

  • Posts: 257
  • "...it's possible..."
    • VA-MDS / MMO | communications
Re: SQL Injection vulnerability
« Reply #5 on: March 17, 2016, 10:35:52 PM »
Hey Jacobi,

thanks! But this is the first website I tested the fix on, I'm not using any
old (non functional) modules so they must be uninstalled to in order to
run the upgrade?

Thats gonna be a timetaking proces as I admin a lot of websites :/ I had more
issues in the past with upgrading WB. That's one of the key features WB
should focus on; to (auto) upgrade from within the backend, to keep it
easier up to date.

Cheerz,

Tez Oner
Tez | VA-MDS / MMO | communications
--------------------------------------------
info@va-mds.com / http://va-mds.com

Offline sky writer

  • Posts: 926
Re: SQL Injection vulnerability
« Reply #6 on: March 18, 2016, 02:35:55 AM »
I don't mean to stick my neck in here, but jacobi22 seems to be handling the majority of support in a lot of threads, so maybe I can clarify this, to lift a bit of weight off of him.

thanks! But this is the first website I tested the fix on, I'm not using any
old (non functional) modules so they must be uninstalled to in order to
run the upgrade?


No, you do not need to "uninstall" non-core modules.  But they might be a good place to start looking for a possible cause for your issue.

This Service Pack automatically runs the upgrade.php script included with all "core" modules (those modules which are listed in the upgrade-script.php "Whitelist-Array").  You can read the details in the installation instructions contained in the SP zip file package... and here - http://forum.WebsiteBaker.org/index.php/topic,29035.msg203863.html#msg203863

If your WB website includes a module which is not listed in the SP6 upgrade-script.php "Whitelist-Array", AND that module DOES include an upgrade.php file, you should add that module to the upgrade-script.php "Whitelist-Array" before installing the SP upgrade.  If you do this, then the upgrade.php script will be automatically run on that module as well.

If you do not add the name of a non "core" module to the "Whitelist-Array" before installing the SP upgrade, then those modules will not automatically upgrade.  In this instance, you must manually run the upgrade.php script for each of these modules.  To do this:
  • In your Admin, go to Add-ons - Modules
  • Click the "Advanced" text link (top right)
  • Under the heading "Execute module files manually", and beside "File: "upgrade.php"", select your Module, click "Execute".
If you get a warning when manually upgrading a module, then that might be a module to look into for possible issues, such as what jacobi22 mentioned.

Hope this is of some help.

Offline jacobi22

  • Posts: 5863
  • Gender: Male
  • Support also via PM or EMail
    • Jacobi22
Re: SQL Injection vulnerability
« Reply #7 on: March 18, 2016, 11:28:27 AM »
@ sky writer: thanks for your help  (Y)

back to the error message
Code: [Select]
There was an uncatched exception: Unknown MySQL server host 'mysql02:3306' (2) in line (51) of (/framework/class.database.php)

this error comes, if its not possible to connect to the database, easy to understand, finish...

now the question: why?
some possibilitys.....
1- connection to the database broken exact in this moment, needs only a half second - has nothing to do with this upgrade
2- no mysqli avaiable on this server
3- php-version older PHP 5.3.6
4- upgrade a older WB-Version without the step to WB 2.8.3 Rev 1611 (my favorite)
5- call a second connection to the database in a own script or with a module

this SP6 upgrade's only the delivered core modules and only the modules from the Whitelist-Array (see Post from SkyWriter). its not possible to upgrade any other module without new code for that, so it makes no sense, to use longer the old method with the "Blacklist-Array" - using in older versions of the upgrade-script. Blacklist-Array means: upgrade all modules, but not this from the Blacklist-Array-list.

the Whitelist-Array included all modules from the SP6-Package.
a special case...
if somebody say:  i'll not use the new module version, maybe from the form-module, and take this out from the SP6-Package, the upgrade-scripts starts the module upgrade from the old module, if its avaiable in the folder structure.
it makes no sense for me, to use a older core module, but on this way, its possible, to start a old core module upgrade

and to the auto-upgrade or "One-Click-Upgrade"
its not possible to upgrade older wb-version like 2.6.x, 2.7.x, 2.8.0, 2.8.1 or 2.8.2 without a step to the WB 2.8.3 Rev 1611 first. Read the upgrade instructions from ruebenwurzel to see the needed manual work. All this WB-Versions runs in the frontend also with the latest php-version, so their is no pressure to upgrade this  :roll: :roll: :roll:
a "one-click-upgrade" is a good solution, if you have the latest version of this software, but it doesnt work, if you use old and very old version




Wer nicht will, findet Gründe, wer will, findet Wege.

Offline BlackBird

  • Posts: 2573
Re: SQL Injection vulnerability
« Reply #8 on: March 18, 2016, 03:10:14 PM »
There was an uncatched exception: Unknown MySQL server host 'mysql02:3306' (2) in line (51) of (/framework/class.database.php)

Forget all that's said above. You have a name resolution problem. The host named "mysql02" is unknown on the host where WB is installed. Try to use a FQDN (mysql02.<Domain>.<Suffix>) or IP _and_ check the name (maybe it's myql2 without the 0). The host named 'mysql02:3306' is unknown, because that's not a valid host name. See next post.

Offline BlackBird

  • Posts: 2573
Re: SQL Injection vulnerability
« Reply #9 on: March 18, 2016, 03:12:43 PM »
Here's the solution:

https://stackoverflow.com/questions/16858965/warning-mysqli-connect-unknown-mysql-server-host

Highest voted answer:

Quote
The port number must be a separate argument:

$link = mysqli_connect('host', 'user', 'pass', 'db', 5306);


Offline Tez Oner

  • Posts: 257
  • "...it's possible..."
    • VA-MDS / MMO | communications
Re: SQL Injection vulnerability
« Reply #10 on: March 18, 2016, 03:25:08 PM »
Thanks all :) gonna check what's the most efficient,
don't like the upgrades much - prob. gonna install a
fresh version of WB.

Did try to upgrade a few times but just keep trowing
errors, don't have that much time for debuggin tho I
just want to upgrade.

Cheerz,

Tez Oner
Tez | VA-MDS / MMO | communications
--------------------------------------------
info@va-mds.com / http://va-mds.com