| SQL injection attack |
[eluser]frederico[/eluser]
Hi, I am running codeigniter 2.1.0. Yesterday i found all the passwords in my users table changed to a similar one but they were encrypted. I suspect an sql injection on the forgot password form. I am using active record which i thought would take care of SQL injections. My query uses: this->db->where() and this->db->update It selects where the email address is equal to the entered then updates with a new password and emails it to the email address.
[eluser]PravinS[/eluser]
refer "Escaping Queries" from this url http://ellislab.com/codeigniter/user-gui...eries.html
[eluser]frederico[/eluser]
This means the active record class does not do the escaping and i have to do the escaping of the queries using escape function.
[eluser]Pert[/eluser]
[quote author="frederico" date="1370192674"] this->db->where() and this->db->update [/quote] Active record queries were automatically escaped, so it should not be SQL injection.
[eluser]frederico[/eluser]
Before it happened the website was taking too long to load seems it had an overload. When i checked the last visitors it was google bot which i dont think was doin anything malicious unless its an impostor but the ip traced back to google offices.
[eluser]Pert[/eluser]
actually I'll take that back, sort of. Depends how you set up your AR call. If it's weird query, and you need to do multiple OR statements and what not, you have option to not parse strings. Code: $this->db->where('((table_a.col_1 = table_b.col_2 OR table_c.col_2 = table_a.col_2) OR (...))', null, false);But said that, it's unlikely that someone spent so much time on trying to find issues with your application. It's more likely that they managed to get in your server through known cPanel vulnerability for example or that some UPDATE functions were wrong. I kid you not, I've seen servers hacked into after 2 hours they were completely re-installed with login from correct root password, all because cPanel was not up to date. So do a quick query check on forgotten password feature (put in some injection code, print out SQL queries that are run), but you should be ready to investigate further in server side.
[eluser]frederico[/eluser]
The initial query for forgot password i found out wasn't checking if the email address is registered so it was sending a new password regardless. The query was actually a simple: $this->db->where('col_name','val'); $this->db->update('table_name',array); The array has the values to be updated in the db... I tried to do some injections myself but none went through. I have changed my cpanel password. It most likely was a brute force attack as it was characterised by denial of service.
[eluser]Pert[/eluser]
[quote author="frederico" date="1370270635"] Code: $this->db->where('col_name','val');This should all be automatically escaped. For one of the projects I'm saving password change requests with remote IP, also log login both successful and failed tries against user ID and remote IP. Might be overkill for most projects, but its slightly sensitive data so good to keep a track of things if something goes wrong. [/quote]
[eluser]frederico[/eluser]
I do some logging e.g for logins (successful logins). I checked but there was no login at the time of the attack. I guess the hacker had my cpanel password. I had the same attack before and changed my cpanel password. I had moved to a new host just before the attack, and the login details were sent to my email address which has been having the same password for quite a long time. so the email address seems to have also been compromised.
[eluser]jairoh_[/eluser]
active records cannot be sql injected is pretty much secured and pretty much cannot be injected. it is automatically escaped as @pert says. 
|
| Welcome Guest, Not a member yet? Register Sign In |
