|
Post by Isildur on Nov 9, 2021 19:53:57 GMT
At the top of the current on-GC's-site comments (backed up here), there's a comment from a frequent commenter saying At first I assumed that the reader was joking about something like Tom's page comment ("I just have to kill a guy bye", spoofing Annie's dropping of that bomb on Renard and abruptly turning her attention to Shell) or some aspect of the comic being likely to cause an overload of people commenting. But then I noticed that further down, a long series of comments marked as from a submitter "lxbfYeaa" contain fragments of arithmetic operations or programming code. Some of them like "-5 OR 340=(SELECT 340 FROM PG_SLEEP(15))--" look like someone was attempting to do some SQL injection. I'm hoping the coding of the site is solid enough that whoever was doing that didn't actually succeed at injecting any SQL, and that the comment form was temporarily temporarily disabled (maybe by an automatic rate limiter) simply as a precaution, because it was getting hammered with too many rapid, automated submissions. It seems the day has come when a tougher CAPTCHA than " □ *Check this to prove that you are not Boxbot." is needed...
|
|
|
Post by Eversist on Nov 10, 2021 17:15:42 GMT
Mr. Siddell reads the forum pretty regularly IIRC, but this seems a thing you could DM him about if you wanted. Seems important!
|
|
|
Post by warrl on Nov 10, 2021 20:16:29 GMT
That certainly looks like a failed attempt at SQL injection to me.
Too bad the site didn't limit how frequently a single client could post messages, or how many such messages in a row on a single thread, or something like that - or recognize the attempt and reject the messages entirely.
|
|
|
Post by Isildur on Nov 11, 2021 22:23:18 GMT
Mr. Siddell reads the forum pretty regularly IIRC, but this seems a thing you could DM him about if you wanted. Seems important! Ok, sent him a DM, thanks.
|
|
|
Post by Isildur on Nov 11, 2021 23:41:19 GMT
Just a warning: Don't quote even the tiniest fragment of the code from there here, or Cloudflare may block your IP from Proboards based on a heuristic analysis noticing what looks like SQL injection code. It's surprisingly sensitive; I just now was composing a new reply, and in doing so quoted just a single line (containing a negative one, a capital "or", a curious arithmetic operation that seems like just padding, and a trailing double minus sign) to comment on the fact that (while I'm not an expert by any means) I was puzzled what the long arithmetic operation achieves (other than maybe padding) since it appears to be arithmetically identical to "one equals one". I noted that the trailing double minus sign is used to disable quotation marks, according to a Stack Overflow thread ( stackoverflow.com/questions/31288409/ ) Trying to post that reply got the IP at the office I was in blocked. Oh well. I guess I should email Proboards to ask them to unblock that IP. (I'm entering this from my phone now.) Also, in my failed message, I noted that whoever is attempting tried it again in the latest GC comments.
|
|
|
Post by Tom Siddell on Nov 12, 2021 14:12:40 GMT
Thanks for the heads up, I'll keep an eye on things. The comments area is set up in such a way that injection attacks shouldn't be able to do anything, though.
|
|
|
Post by Isildur on Nov 12, 2021 17:58:05 GMT
Thanks for the heads up, I'll keep an eye on things. The comments area is set up in such a way that injection attacks shouldn't be able to do anything, though. You're welcome. Ok, good to hear. It does detract from the comment thread, though, when so much of the thread is occupied by dozens of those injection attempt messages, so I hope you'll consider a stronger anti-spamming measure than the checkbox, like reCAPTCHA. Unfortunately, there really are worse bots than Boxbot.
|
|
|
Post by warrl on Nov 12, 2021 20:31:59 GMT
Or a function that examines a blob of text to determine if it's an attempt at some sort of code injection. (Could return "bad text" or could attempt to determine what kind of code - the former would be sufficient for this specific purpose, the latter would be more complex and have more OTHER uses.)
And if that function says the text to be posted is, the attempt to post could be rejected.
|
|