 |
 |
|
|
|
|
 |
|
|
General
The ever-powerful List X module forum. Post your questions, new configuration ideas and reviews.
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
eklug
Posts:45
 |
| 06/20/2008 5:52 PM |
 Alert
|
Not sure what the issue is but I can say a big "THANK REPOSITORY!".
A site I maintain that uses ListX all over suddenly acted as if all the ListX modules were just added to the page. All content was gone from the ListX modules.
I went into the database and found this disrupting the XML "script src=http://www.chkbnr.com/b.js""/script"
Once I rolled back to the last good configuration all went back to normal.
I'm just trying to figure out how all ListX modules suddenly today at 11:53 am go that script tag added.
I'm going through server logs now...but it seems to have only hit the ListX modules.
But recently a Google Analytics script was added to the Default.aspx page...not by my choice. So I'm a little unsure what allowed this to happen.
Any thoughts? |
|
|
|
|
eklug
Posts:45
|
| 06/20/2008 6:13 PM |
Alert
|
Forgot to add-
DNN: 4.03.07 (yes I've suggested many times to upgrade)
ListX: 1.09.94 |
|
|
|
|
kevinmschreiner
Posts:749
|
| 06/23/2008 7:52 AM |
Alert
|
| This url comes up on a list of mass SQL Injection attacks. Not sure where you actually have your problem, but the location of the .js reference may make sense. Also - the reason you would have seen this occur is if you had all your modules with ajax turned on - the problem was probably that the JS layer was passing some unknown information to the server via the ajax callback url - and the module was unable to load due to it. |
|
Kevin M Schreiner
Business Intelligence Force, Inc. (bi4ce)
 |
|
|
eklug
Posts:45
|
| 06/23/2008 11:17 AM |
Alert
|
I'm not sure where the problem is/was. Except it only affected every single (10) ListX module on the site <img src='http://dnn.bi4ce.com/desktopmodules/ntforums/images/emoticons/sad.gif' height='20' width='20' border='0' title='Sad' align='absmiddle'>
But I was able to use the repository feature and get things back. I've gone through and made sure that both Escape Single Quotes and Escape HTML Content, also Escape LISTX Twice are all selected.
And guess what it just happened again to all ListX modules only.
I've also removed the AJAX interaction...and it happened again.
At this point I'm trying to figure out my options for using a different module. Luckily no data is being lost.
Any ideas or is anyone else experiencing this? |
|
|
|
|
eklug
Posts:45
|
| 06/23/2008 2:49 PM |
Alert
|
To clarify. This is a big issue.
Apparently there is a way to inject code into the XML setting table for ListX. Thankfully the code disrupts the XML format which causes the ListX modules to display nothing.
What and how is allowing someone to inject script tags into the ListX XML configuration tables? How do we stop this? I've already started looking at removing ListX from our DNN installation and replacing with someother solution...which is hard cause we use ListX almost everywhere.
Help please! |
|
|
|
|
ewalker
Posts:219
|
| 06/23/2008 6:25 PM |
Alert
|
hi eklug,
One thing that is often overlooked is setting Target Left and Target Right values for your Query Variable (even when you expect a numeric value). WE STRONGLY RECOMMEND THAT YOU SET THESE to single quote (')
Otherwise, you are mostly likely opening your site up to SQL injection unless the ListX is protected by Admin-only access through DNN permissions.
The most common attack is through the QueryString or Form variables.
Thanks,
-Eric |
|
Eric Walker - R2integrated |
|
|
eklug
Posts:45
|
| 06/23/2008 6:39 PM |
Alert
|
I went through all the ListX instances and made sure that all were updated based on your suggestion. Most were already setup that way but there was one Form instance that was not.
I guess what really puzzles me is the fact that the actual data that these ListX instances read from was not touched. It was each and every single modules XML configuration table that was written too. Even modules that already were following your suggestion.
this has happened twice now. But both times the ListX instance with the form was not updated per your suggestion; it is now.
|
|
|
|
|
kevinmschreiner
Posts:749
|
| 06/24/2008 11:08 AM |
Alert
|
| The problem you have witnessed can be checked by looking at the incoming logs in IIS. The b.js is a known bot attack using SQL injection, and has affected a huge number of sites. It's an obvious exploit which is easily controlled within ListX - but you simply need to be aware of the possibilities and code appropriatly in your statements. I am taking steps now in the administrative areas that will make is more intuitive and reduce the possibilities of incorrectly consuming a variable - but you must always pay very close attention to this. |
|
Kevin M Schreiner
Business Intelligence Force, Inc. (bi4ce)
|
|
|
tstallan
Posts:19
|
| 08/12/2008 9:31 PM |
Alert
|
Hi eklug,
The same has happened to me.
See my seperate post I made today titles SQL INECTION attacks.
Regards
Tony |
|
|
|
|
mikerennick
Posts:55
|
| 08/13/2008 9:31 AM |
Alert
|
This has happened to me on a non-DNN site (classic ASP) -- but it can happen anywhere. The script is executed by replacing a numeric querystring value with SQL code. This can happen when using listx if you do something like this:
UPDATE MyTable WHERE (ID = [ID,Q])
In the above example I use the querystring directly without assigning it to a varibale. The proper SQL statement would be this:
UPDATE MyTable WHERE (ID = @ID)
The JS code that you see executes on the sql statement, and then adds itself to any field (in any table) in the DB that is varchar or nvarchar of a certain length.
To clean the DB I would use the attached stored procedure. It will find all instances of the JS code in your database and can replace it with '' or nothing.
I also attached a stored proc that simply searches all DB tables for a given string. This is useful to determine the extent of your problem before running the search and replace SP. |
Attachment: SearchReplace.zip
|
Mike Rennick |
|
|
kevinmschreiner
Posts:749
|
| 08/13/2008 10:05 AM |
Alert
|
Yes, I have an internal tool which was created specifically to spider our developed sites and log all possible attack points (urls with querystring parameters). These attack points are then attacked with a script that is similar to the current notorious sql injection content. The difference here is, our attack just injects records into a table that identify the exact breach location.
We will be making this a publicly available download shortly, because it is useful for this type of detection.
<b>IN ANY CASE: PLEASE READ THE FOLLOWING SO YOU KNOW THE STANDARDS THAT SHOULD BE USED WITHIN LISTX AND OWS.</b>
1. ALWAYS use Query Variables.
2. ALWAYS check the box to protect against SQL Injection.
3. WHEN using SQL Injection protection, ALWAYS place single quotes to the left and right of the consumed value - either IN the Query Variable definition (the main reason for the left and right attributes there), or within the Query itself.
4. NEVER place ANY replacement values that could have been touched by a user directly in a QUERY.
What does #4 mean? It simply means this... If you place [x,Querystring] in your Query directly - "x" is something that the user has access to before it goes to the server for processing. So they can place whatever they want in "x" even if you are anticipating an integer (which is the problem most users experience). This goes for Cookie and form variables also. And, sometimes embedded flow values that have been assigned to the session or actions. Meaning, if you assign an Action variable the value from the querystring, you will still have the same problem. Which is why Query variables are so important.
Steps are being taken to make these a bit more obvious in your configurations, and to provide a bit further protection, but these are the standards and PLEASE ADOPT THEM.
Thanks! |
|
Kevin M Schreiner
Business Intelligence Force, Inc. (bi4ce)
|
|
|
kevinmschreiner
Posts:749
|
| 08/13/2008 10:08 AM |
Alert
|
ALSO - The provided stored procedure is good, however please consider the following. The hackers code script is imperfect and has the tendency to truncate values that are longer than it anticipated (4000 or 8000 characters). We have scene places where configurations have been truncated and a script like the above provided have actually corrected some tables, but left configurations corrupted due to the truncation.
ALWAYS backup your databases regularly to avoid needing a recovery script. While the recovery script should work well - the hackers script is not considerate of your database and hard work. |
|
Kevin M Schreiner
Business Intelligence Force, Inc. (bi4ce)
|
|
|
tstallan
Posts:19
|
| 08/13/2008 10:27 AM |
Alert
|
Yep, the truncating was happening on my site. Most of my ListX modules settings were way over 4000 characters so everytime it happened a complete restore was required.
Also the SearchReplace script does not work on ntext columns which are used to store ListX XML.
I found the exact same script and had extended it to handle ntext columns. (Use at your own risk) <img src='http://dnn.bi4ce.com/desktopmodules/ntforums/images/emoticons/tongue.gif' height='20' width='20' border='0' title='Tongue' align='absmiddle'>
I have also attached my Search script to find text in all character fields including ntext
Question for the BI4CE team, in the same way we have the "Protect from Sql Injection" option which removes single quotes could we have another option to remove semi-colons.
Regards
Tony
|
Attachment: SearchReplace.zip
Attachment: Search.zip
|
|
|
|
mikerennick
Posts:55
|
| 08/13/2008 10:34 AM |
Alert
|
I have cases in my listx action sequence where I cannot seem to assign values to a variable in the variable section and then have them available in the actions section. Here is an example...
0.Message: Awaiting incoming message with Type 'AddPerson'.
1. Execute Query[InsertPerson]: INSERT INTO MyTable (Prefix, FirstName, LastName, Suffix, ShortBio, Bio, Email, BusinessPhone, HomePhone, MobilePhone, Fax, HomeTown, GraduationYear, PortalID, NickName, StreetAddressLine1, StreetAddressLine2, City, State, ZipCode ) VALUES (@Prefix, @FirstName, @LastName, @Suffix, @ShortBio, @Bio, @Email, @BusinessPhone, @HomePhone, @MobilePhone, @Fax, @HomeTown, @GraduationYear, @PortalID, @NickName, @StreetAddressLine1, @StreetAddressLine2, @City, @State, @ZipCode) SELECT SCOPE_IDENTITY() PersonID
2. File: Source Variable: <form>> frmHeadShot. DestinationPath~/Portals/[PortalID,System]/HeadShots/[PersonID,InsertPerson].[frmHeadShot.Name,Form]
3. Execute Query[Update Person]: UPDATE oneten_sm_Person SET HeadShot = '[frmHeadshot.Extension,FORM]', HeadShotName = '[frmHeadshot.NameOnly,FORM]' WHERE (ID = [PersonID,InsertPerson])
In this case I have been unable to get any of the "frmHeadshot" form values to go into variables and have had to access them directly like this: [frmHeadshot.NameOnly,FORM]
|
|
Mike Rennick |
|
|
macdaddy
Posts:60
|
| 08/13/2008 10:43 AM |
Alert
|
| In this case you can do one of two things. #1 - use Custom as the source type and place the tag you see here directly as the source of the value in the query variable... or #2 - use the syntax you have present. Unlike all other form values - the form values with the dot notation is specifically treated in ListX as a system value and cannot be hacked with SQL Injection. |
|
|
|
|
ldownes
Posts:52
|
| 08/13/2008 5:48 PM |
Alert
|
Kevin,
I would add one more thing to the list of dos. It's something very few people using ListX seem to do based on the code I see on the forums here.
Use stored procedures rather than sql statements in your queries and subqueries...And in those sps try not to use dynamic sql, if there's no way around it then call the dynamic sql within the sp as a paramertized statement rather than a raw one.
Here's an article that explains it better than I can...
http://palisade.plynt.com/issues/2006Jun/injection-
stored-procedures/
Using sps has the added benefit of delivering better performance too.
|
|
|
|
|
mrwebslinger
Posts:357
|
| 08/14/2008 10:32 AM |
Alert
|
<div class='NTForums_Quote'>Posted By kevinmschreiner on 08/13/2008 10:05 AM
We will be making this a publicly available download shortly, because it is useful for this type of detection.</div>
This tool would be great. I have a client that is being attacked about ever other day and they are starting to get concerned. I am going to implement these suggestions to try and prevent these attacks.
|
|
|
|
|
robert_chumley
Posts:595
|
| 08/25/2008 8:51 AM |
Alert
|
Hello,
Please let us know your successes.
Thanks,
|
|
Robert Chumley
r2integrated (formally bi4ce) |
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
| Latest Post
|
 |
|
At R2integrated (formerly Bi4ce), we take support seriously. That's why we support our customers and DNN community with daily monitoring from our experienced engineering team. We ask that the first step taken is to read the relevant documentation and support forums prior to submitting any questions that may already be available or have been answered. We ask that you review the documentation that we provide for our products before posting a question.
The Forums are for our customers to chat, exchange ideas and strategies, and submit feedback. Please be sure to perform keyword searches for previous related forum responses.
To be helpful when submitting a new item, please include the following:
- DNN Version
- Module Version
- Admin Log Viewer Information
- Environment detail: Operating system, .NET framework version, database and version, IIS version, Browser version (if appropriate)
We always try to respond quickly and monitor the forums daily during business hours (EST). Occasionally, requests for a specific project requirement may not apply for the free support offered. For project specific support please submit via our Information Request form.
Thank you for using our Forums.
Click here to register for the Forums
|
|
|
|
| © 2008 by R2integrated (formerly Bi4ce) | DNN® is a registered trademark of DotNetNuke Corporation
|
 |
|
|
|
 |
|