Manager log: SQL Injection Detected

mintnl — Nov 21, 2018, 02:56 PM

Hi, since a week or so i get these messages in the manager log:

[2018-11-14 02:41:45] (ERROR @ /home/USER/domains/DOMAIN/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'somepage.html\'>title somepage ')
[2018-11-14 02:41:45] (ERROR @ /home/jolien/domains/geheelnatuurlijk.nl/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'somepage.html\'>title somepage ' OR 'somepage.html\'>title somepage ' REGEXP `modRedirect`.`pattern` OR 'somepage.html\'>title somepage ' REGEXP CONCAT('^', `modRedirect`.`pattern`, '$'))
[2018-11-14 02:41:47] (ERROR @ /home/USER/domains/DOMAIN/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'webpage.html\'>Webpage title other text in sentence' OR 'webpage.html\'>Webpage title other text in sentence' REGEXP `modRedirect`.`pattern` OR 'webpage.html\'>Webpage title other text in sentence' REGEXP CONCAT('^', `modRedirect`.`pattern`, '$'))

Where 'USER', 'DOMAIN', 'sompage.html', 'webpage.html', 'title somepage' and 'other text in sentence' are edited by me but existant.

Has anyone got any ideas what is happening here. I can see they try to escape a quote. But what i can do to block this??

Re: Manager log: SQL Injection Detected

muzzstick — Feb 03, 2019, 12:16 PM

SQL injections won't be possible when using xPDO like MODX does, it's just warning you that it was attempted.
A way of stopping these errors would be to sanitize any form data that's submitted before it's handled. So that way you're not allowing the malicious code to even reach MODX.

Manager log: SQL Injection Detected - My Forums

Manager log: SQL Injection Detected

Re: Manager log: SQL Injection Detected