Sphinx - probably an attempt to do INJECTION

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
oferlaor
Registered User
Posts: 34
Joined: Sat Dec 04, 2004 6:31 am

Sphinx - probably an attempt to do INJECTION

Post by oferlaor »

1. I'm not sure how many of you are using Sphinx, but it's AMAZING. It has been running for a few years for me, it's extremely fast, extremely resiliant and the results are amazing.

2. Most importantly, the reason I installed it was that my indexes became so large that they would more than double my DB size and the speed was terrible. I have a pretty large forum (83K users, 3M+ posts) and the time it took to post was increasingly frustrating. It took forever to save the post because indexing was killing me. I think I moved to Sphinx back on phpbb version 2.X (not 100% sure), but it's been with me forever.

3. I noticed I'm getting errors like this:

Code: Select all

Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')\=sysdate(),sleep(15),0)'

Code: Select all

Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected '|' near '|DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'

Code: Select all

Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')) | 873\=(SELECT 873 FROM PG_SLEEP(15))--'
I was wondering:
1. Do they know something I don't? Does Sphinx have vulnerabilities with SQL or code injection?
2. anything that I could/should do to block this type of thing?
3. anything that phpbb should do to prevent SQL injection in this way?

BTW, just try a sphinx search with parenthesis and you see this error immediately.
oferlaor
Registered User
Posts: 34
Joined: Sat Dec 04, 2004 6:31 am

Re: Sphinx - probably an attempt to do INJECTION

Post by oferlaor »

ok, I see that this needs to be added to

phpbb/phpbb/search/fulltext_sphinx.php

public function sphinx_clean_search_string($search_string)

there's some cleanups there, but it's missing parenthesis...

Return to “[3.3.x] Support Forum”