The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
01-26-2009, 08:39 PM
|
||||
|
||||
EWT Statistics
Can someone take a look at this and see if it can be made to work correctly with 3.8.0. It looks like something simple, if you happen to understand PHP. (But I don't) This was released here for an earlier version, and has been working fine with 3.8.0, but recently, I got a few database errors, like this...
Database error in vBulletin 3.8.0: Invalid SQL: INSERT INTO ewt_statistics (uid, sectionid, thisscript, ipaddy, useragent) VALUES (0, 0, 'index', '205.196.222.10', '<a href='http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com'); MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com')' at line 4 Error Number : 1064 Request Date : Monday, January 26th 2009 @ 03:43:53 PM Error Date : Monday, January 26th 2009 @ 03:43:53 PM Script : *** Removed URL *** Referrer : IP Address : 205.196.222.10 Username : Unregistered Classname : vB_Database MySQL Version : (I've only received two of these errors and they're both the same. Otherwise, it appears to work fine. Maybe just a variable name changed or something?) *** Removed Copyrighted File *** 
|
|
#2
01-27-2009, 04:19 AM
|
||||
|
||||
|
I suggest you remove the modification immediately. It suffers from an exploit called "SQL injection", which can be used to execute basically any SQL query the attacker wants. I suggest you contact the author, as well as reporting the modification thread, so staff can quarantine it.
PS. I have remove your site URL, to protect your site from being attacked.
|
|
#3
01-27-2009, 04:26 AM
|
||||
|
||||
|
Thanks. Do you know of a way to fix it? Now there will be no total page views. I have no idea who the original author was.
 Has it always been a security risk? Because my firewall used to block a lot of SQL injection attempts. Apparently, it did it's job.
|
|
#4
01-27-2009, 04:57 AM
|
||||
|
||||
|
Quote:
Quote:
|
|
#5
01-27-2009, 04:57 AM
|
||||
|
||||
|
Is there anything that can replace my hit counter (in the statistics bar) that's safe to use? That was nice to have.
--------------- Added 27 Jan 2009 at 00:59 --------------- Quote:
--------------- Added 27 Jan 2009 at 01:34 --------------- What was the exploit, now that it's uninstalled? Is it really that serious? I mean, I've had this installed for probably 6 years now, and never had any attacks. My firewall has blocked tons of attempts at SQL injections, but nobody has managed to execute anything. Do you think it's safe to run, since my firewall detects and successfully blocks this type of attack?
|
|
#6
01-27-2009, 09:58 AM
|
|||
|
|||
|
The useragent is not cleaned before inserting into the query, leading to possible SQL Injections.
|
|
#7
02-03-2009, 04:54 AM
|
||||
|
||||
|
So, no one can make this nifty little hack safe?
|
|
#8
02-03-2009, 08:41 AM
|
|||
|
|||
|
Nobody said that, we only say that the current script you use is vulnerable.
|
|
#9
02-03-2009, 09:00 AM
|
||||
|
||||
|
Well, if anyone would like to do it, I'm sure it would be much appreciated! I know I sure would appreciate it. I'm surprised there isn't a version of this that is safe, already. It seems like such a necessary statistic.
I know there are probably other types of counters, but I haven't seen anything that's so nicely integrated like this. It was nice to know that I had over 2.1 million views! That attracted a paying advertiser, once! 
|
|
#10
02-03-2009, 09:09 AM
|
|||
|
|||
|
We don't even know which modification you are talking about. If you have questions regarding a modification, then please post in the thread of that modification.
PS If a vulnerable version is posted on vB.org, then please use the Report Post link to report it.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 01:45 PM.