500 error on suspecious query option

Kevin Bowrin

unread,

Jul 27, 2022, 3:41:12 PM7/27/22

to AtoM Users

Hi all,

A bot visited our site at:

https://archie.library.carleton.ca/index.php/informationobject/browse?page=7&levels=226&sort=relevance&collection=97411%22)%20AND%204521%3DCAST((CHR(113)||CHR(120)||CHR(98)||CHR(98)||CHR(113))||(SELECT%20(CASE%20WHEN%20(4521%3D4521)%20THEN%20BITCOUNT(BITSTRING_TO_BINARY((CHR(49))))%20ELSE%20BITCOUNT(BITSTRING_TO_BINARY((CHR(48))))%20END))%3A%3Avarchar||(CHR(113)||CHR(106)||CHR(112)||CHR(107)||CHR(113))%20AS%20NUMERIC)%20AND%20(%22zkpw%22%20LIKE%20%22zkpw&sf_culture=en&view=card&sortDir=desc&topLod=0

which produced this php-fpm error:

[27-Jul-2022 12:29:15 America/Vancouver] PHP Fatal error: require(): Failed opening required '/var/www/atom/atom-2.6.4/atom-2.6.4/cache/qubit/prod/config/modules_97411")_AND_4521=CAST((CHR(113)||CHR(120)||CHR(98)||CHR(98)||CHR(113))||(SELECT_(CASE_WHEN_(4521=4521)_THEN_BITCOUNT(BITSTRING_TO_BINARY((CHR(49))))_ELSE_BITCOUNT(BITSTRING_TO_BINARY((CHR(48))))_END))::varchar||(CHR(113)||CHR(106)||CHR(112)||CHR(107)||CHR(113))_AS_NUMERIC)_AND_("zkpw"_LIKE_"zkpw_config_cache.yml.php' (include_path='/var/www/atom/atom-2.6.4/atom-2.6.4:/var/www/atom/atom-2.6.4/atom-2.6.4/vendor/symfony/lib/plugins/sfPropelPlugin/lib/vendor:/usr/share/pear:/usr/share/php') in /var/www/atom/atom-2.6.4/atom-2.6.4/vendor/symfony/lib/view/sfViewCacheManager.class.php on line 337

I'm also seeing a few weird files under cache, like:

cache/qubit/prod/config/modules_97411")_AND_4521=CAST((CHR(113)||CHR(120)||CHR(98)||CHR98o89z

...which doesn't seem right.

Doesn't look like a security vulnerability, but I don't like what looks like arbitrary file names in the cache directory. Any idea what's going on? I'd prefer if these kids of bad queries just returned no results found or 400 errors.

(Also need to figure out why php-fpm is using the wrong timezone, but that's a battle for another day 😅)

Best,

Kevin Bowrin

Carleton University Library

Kevin Bowrin

unread,

Jul 27, 2022, 3:43:42 PM7/27/22

to AtoM Users

*suspicious -_-

Dan Gillean

unread,

Aug 4, 2022, 8:49:38 AM8/4/22

to ICA-AtoM Users

For anyone finding this thread in the future, a response was provided in the the following related forum thread:

https://groups.google.com/g/ica-atom-users/c/IPxi89Diz0w/m/Y0FWZxO4EQAJ

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/7cea10fb-136e-43e3-9baf-863739cb5dadn%40googlegroups.com.

Reply all

Reply to author

Forward