SQL Injection attack warnings after upgrade
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=27141
Printed Date: 02 April 2026 at 7:08pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: SQL Injection attack warnings after upgrade
Posted By: RadioActiveLamb
Subject: SQL Injection attack warnings after upgrade
Date Posted: 19 March 2009 at 11:44pm
|
I'm getting this error by visiting a forum or by opening certain
topics. I have the new version running in a different folder than my
current 9.54 version for testing. I think the error is a false positive
because one of the forums I'm trying to view is one where I hold
admin-only messages that are not available to the general public. 9.54 opens the messages without error. Server Error in Forum Application WARNING: SQL Injection attack detected. Please contact the forum administrator. Support Error Code:- err_SQLServer_SqlInjectionTest() File Name:- functions_filters.asp Error details:- |
Replies:
Posted By: WebWiz-Bruce
Date Posted: 20 March 2009 at 7:48am
|
Could be a corrupted file or a bug that was fixed. Try upgrading to the latest release. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Martin Falck
Date Posted: 20 March 2009 at 8:21am
|
I get the same after upgrade, and when i/admin wrote som topic and i have the the latest release: Server Error in Forum Application WARNING: SQL Injection attack detected. Please contact the forum administrator. Support Error Code:- err_mySQL_SqlInjectionTest() File Name:- functions_filters.asp Error details:- |
Posted By: WebWiz-Bruce
Date Posted: 20 March 2009 at 8:23am
|
Would need to see a link to the page you are having problems with to be able to tell what the issue is. It's possibly something within the page name, or querysting which is a keyword in an SQL Injection attack and it is that which is coursing the problem. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Martin Falck
Date Posted: 20 March 2009 at 8:24am
|
in the update of forum http://fodboldsnak.dk/" rel="nofollow - http://fodboldsnak.dk/ |
Posted By: WebWiz-Bruce
Date Posted: 20 March 2009 at 8:41am
OK I see now the page with the problem. To fix this open the file forum_posts.asp in a text editor and at line 182 add the following line:-
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Martin Falck
Date Posted: 20 March 2009 at 8:49am
Posted By: RadioActiveLamb
Date Posted: 20 March 2009 at 4:27pm
|
Mine isn't okay yet. I can't visit this "admin-only" forum. You won't either, because you aren't an admin. Here's the link anyway:
http://mhvillages.com/forumt/forum_topics.asp?FID=31&title=deleted-threads" rel="nofollow - http://mhvillages.com/forumt/forum_topics.asp?FID=31&title=deleted-threads
The fix you gave repaired the individual post error, but not this forum or list of topics. Do you have a similar fix for the forum_topics.asp code?
Thanks
|
Posted By: WebWiz-Bruce
Date Posted: 20 March 2009 at 4:29pm
|
Yes a new 9.56a version has just been released which patches this issue and prevents the false positives. You can download 9.56a from the Web Wiz Forums download page. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RadioActiveLamb
Date Posted: 20 March 2009 at 5:21pm
9.56a installed, works great! Thank you 
|
Posted By: kiklop
Date Posted: 03 April 2009 at 9:57am
|
I just found one case in which the warning showed up (When using search option in our forum clicking on one result) http://www.dyxum.com/dforum//forum_posts.asp?TID=44423&KW=100-200&PID=478690&title=ud3-30-min-span-classhighlight100-200-span-f45-100-300-apo-d-price-drop#478690 Searched term was "100-200". I have already updated to 9.56a. ------------- http://www.dyxum.com" rel="nofollow - dyxum.com |
Posted By: WebWiz-Bruce
Date Posted: 03 April 2009 at 10:26am
|
It looks like this rare issue can happen if the keywords being searched are also in the subject of the topic and the topic subject contains content that could be used in an SQL Injection attack. The issue has been fixed for the next release, but does not affect those using URL Rewriting. If your server supports it I would recommend using URL rewriting, not only do you get SEO friendly HTML page names but you also get better security. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: kiklop
Date Posted: 03 April 2009 at 12:27pm
|
Thanks Bruce; it isn't a big deal (it is really an exception) just wanted to let you know about (if there is a simple code modification that resolves is it would be great). As for URL Rewriting i'm waiting for my host company to install it on the server (they are slow with such things but excellent on others). ------------- http://www.dyxum.com" rel="nofollow - dyxum.com |