[SOLVED] Attempted SQL injection in POST after Upgrade
- nphic
- OFFLINE
-
Elite Member
- Posts: 308
- Thanks: 23
- Karma: 1
12 years 9 months ago - 12 years 9 months ago #167739
by nphic
[SOLVED] Attempted SQL injection in POST after Upgrade was created by nphic
Folks,
I just finished upgrading to CBSubs 1.2. I've installed all Joomla plugins, Modules and CB plugins from this package. After installing, I am receiving the following error message when I try to save a subscription plan:
403: Access Forbidden
Attempted SQL injection in POST
I am using 2 SQL Actions upon activation. Both are set as internal. They are as follows:
SQL Action #1:
UPDATE
`jos_cbsubs_subscriptions` a
SET
subscription_date = IF (DAYOFMONTH(subscription_date) >= 15, CONCAT(YEAR(CURDATE()),'-',DATE_FORMAT(DATE_ADD(CURDATE(), INTERVAL 1 MONTH),'%m'),'-','01'),
CONCAT(YEAR(CURDATE()),'-',DATE_FORMAT(CURDATE(),'%m'),'-','01'))
WHERE
a.`user_id` = [user_id]
SQL Action #2:
UPDATE
`jos_cbsubs_subscriptions` a
SET
expiry_date = DATE_ADD(a.`subscription_date`, INTERVAL 1 YEAR)
WHERE
a.`user_id` = [user_id]
The objective of these SQL statements are to set the subscription date to the 1st of either the current month or the 1st of the next month depending upon the current date.
I am not sure where to begin looking for this error. Any suggestions on how to resolve this issue?
Thanks,
Joe
I just finished upgrading to CBSubs 1.2. I've installed all Joomla plugins, Modules and CB plugins from this package. After installing, I am receiving the following error message when I try to save a subscription plan:
403: Access Forbidden
Attempted SQL injection in POST
I am using 2 SQL Actions upon activation. Both are set as internal. They are as follows:
SQL Action #1:
UPDATE
`jos_cbsubs_subscriptions` a
SET
subscription_date = IF (DAYOFMONTH(subscription_date) >= 15, CONCAT(YEAR(CURDATE()),'-',DATE_FORMAT(DATE_ADD(CURDATE(), INTERVAL 1 MONTH),'%m'),'-','01'),
CONCAT(YEAR(CURDATE()),'-',DATE_FORMAT(CURDATE(),'%m'),'-','01'))
WHERE
a.`user_id` = [user_id]
SQL Action #2:
UPDATE
`jos_cbsubs_subscriptions` a
SET
expiry_date = DATE_ADD(a.`subscription_date`, INTERVAL 1 YEAR)
WHERE
a.`user_id` = [user_id]
The objective of these SQL statements are to set the subscription date to the 1st of either the current month or the 1st of the next month depending upon the current date.
I am not sure where to begin looking for this error. Any suggestions on how to resolve this issue?
Thanks,
Joe
Last edit: 12 years 9 months ago by krileon.
Please Log in to join the conversation.
- nphic
- OFFLINE
-
Elite Member
- Posts: 308
- Thanks: 23
- Karma: 1
12 years 9 months ago #167740
by nphic
Replied by nphic on topic [Re: Attempted SQL injection in POST after Upgrade
Folks,
I found my problem. Sorry for the post. I am running RSFirewall and the Active Scanning was checking for SQL Injections on components. Once I configured it to "skip" com_profiler, my issue resolved itself. Again, sorry for the post!
Regards,
Joe
I found my problem. Sorry for the post. I am running RSFirewall and the Active Scanning was checking for SQL Injections on components. Once I configured it to "skip" com_profiler, my issue resolved itself. Again, sorry for the post!
Regards,
Joe
Please Log in to join the conversation.
- JakeKnight
- OFFLINE
-
Junior Member
- Posts: 35
- Thanks: 3
- Karma: 1
12 years 5 months ago #180036
by JakeKnight
Replied by JakeKnight on topic Re: [Re: Attempted SQL injection in POST after Upgrade
Dude, you saved me arse big time with this. My problem was with GroupJive. Everything worked fine but when I tried to Save the ABOUT PAGE description, I got the 403 error.
I turned off the SQL check and hopefully this might solve a few other funky errors as well.
Thanks so much for posting your simple solution.
I turned off the SQL check and hopefully this might solve a few other funky errors as well.
Thanks so much for posting your simple solution.
Please Log in to join the conversation.
krileon
Team Member- OFFLINE
- Posts: 68481
- Thanks: 9074
- Karma: 1434
12 years 5 months ago - 12 years 5 months ago #180099
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: [Re: Attempted SQL injection in POST after Upgrade
As a personal opinion (in no way to Joomlapolis opinion, just my own) these "security extensions" are a bit pointless. They're injecting themselves to check for injects, which is counter productive. They hijack extensions and have no idea how to properly handle that extensions data, which is a big problem if something is flagged. I really don't recommend using them and this recommendation is up there with moving configuration.php, again a pointless attempt for additional security. Your site is only as secure as the code it's executing, no extension or moving of a configuration file will fix that. Joomla, CB, and GJ it self are put through brutal security reviews to ensure zero vulnerability. Your best security is what your host can provide you and of course running in HTTPS at all times to ensure encrypted data is always used. In addition to that daily/weekly backups are your best friend encase something does go south.
Your best security is picking your webhost wisely, no extension will make up for that.
Your best security is picking your webhost wisely, no extension will make up for that.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 12 years 5 months ago by krileon.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
Time to create page: 0.201 seconds
-
You are here:
- Home
- Forums
- Archive
- Advanced Members Support
- [SOLVED] Attempted SQL injection in POST after Upgrade