Reliance on mysql shortcut evaluation can lead to an SQL error message #134
Comments
|
When I try to login via back end administrator, the screen is frozen on the same message, but also when I click on the settings cog wheel, I see: TPL_ISIS_EDIT_ACCOUNT, and TPL_ISI_LOGOUT. So maybe TPL_ISIS has been in the site. |
|
Ok, I went to the BFStop wiki, did as it recommended. I deleted the banned IP number from mysql tbl_bfstop_bannedip. That opened up the website again. The banned IP came out of Spain, and I'm in the USA. So, I wonder why my USA IP was blocked so I could not get into the site Do you think it was a hacking attempt, or just something I triggered because I was working on the site a lot? |
This is not an actual block, but rather looks like a bug in bfstop.
By working, are you referring to working in the bfstop backend? If you possibly added an invalid subnet address (e.g. a currently unsupported IPv6 CIDR address, as reported here: #117) manually, then this could be a probable cause. There is also a chance that there is some flaw in bfstop which created an invalid entry in the bannedip table which made that error appear. To debug that, it would however be necessary to get a log of the incident. When you say you deleted the banned ip number did you completely empty the table or just delete a single entry? Do you happen to have a backup of the content of the table when it wasn't working? |
|
Thank you for the reply. In the bannedip table, I deleted the single entry. It was the only entry. I don't think I have a backup of anything when bfstop blocked the site because your wiki helped me clear the problem pretty quickly. If visiting the site will help, I can give you access. Info: I used tor to access the site from the front end in my preceding work session. (Maybe that explains the IP from Spain.) Then I took a break. When I came back, without using tor, I noticed the site was blocked by bfstop. |
|
Today, I manually entered an IP address into bfstop from the back end. Then this error message appeared in the back end: Return to Control PanelReturn to control panel did not work. I also used the admin menu Components/Brute Force Stop Administration, but that left the same error message on the page.This error message appeared on the front end: 1690 BIGINT UNSIGNED value is out of range in '((1 << (32 - substr('77.232.66.255',(locate('/','77.232.66.255') + 1),(length('77.232.66.255') - locate('/','77.232.66.255'))))) - 1)' SQL=SELECT id, ipaddress, crdate, duration FROM #__bfstop_bannedip b WHERE (ipaddress='77.232.66.255' OR (LENGTH(ipaddress) <= 18 AND LOCATE('/', ipaddress) != 0 AND (INET_ATON('77.232.66.255') & ~((1 << (32 - SUBSTR(ipaddress, LOCATE("/", ipaddress)+1, LENGTH(ipaddress)-LOCATE("/", ipaddress))))-1)) = (INET_ATON(SUBSTR(ipaddress, 1, LOCATE("/", ipaddress)-1)) & ~((1 << (32 - SUBSTR(ipaddress, LOCATE("/", ipaddress)+1, LENGTH(ipaddress)-LOCATE("/", ipaddress))))-1)))) AND (b.duration=0 OR DATE_ADD(b.crdate, INTERVAL b.duration MINUTE) >= '2016-10-11 23:29:45') AND NOT EXISTS (SELECT 1 FROM #__bfstop_unblock u WHERE b.id = u.block_id) MySql tbl_bfstop_bannedip had a single entry: I deleted that row entry and everything returned to normal on my website. |
|
When I re-entered 77.232.66.255 into bfstop administration blocked IPs, the same error messages reappeared. |
|
Additional info: |
|
I'm very interested in this issue, as I'm developer and I installed BFStop about 20 times in different Joomla projects. So I decided to check this bug. I manually entered this evil IP 77.232.66.255 from the back end... and nothing happend! All work perfectly - frontend, backend, plugin. The same was with 176.31.149.121. I used my last working Joomla project for this test (finished 3 months ago, Joomla 3.6.2 and BFStop 1.3 stable) . MySQL 5.6 utf8mb4. |
|
@pintobuck what database software / version are you using? postgres by any chance? Or if mysql/mariadb, which version? |
|
My websites are on the hosting service at servage.net, which uses MySQL v.5 |
|
I used their auto install tool for Joomla 3.5 and then used Joomla's auto update. |
|
MySQL v.5 is quite unspecific, what "subversion" is it? (e.g. 5.0? 5.5?). servage.net homepage isn't very helpful in that regard - it says 5.0 and higher, so you'd have to check which version you have (see e.g https://geeksww.com/tutorials/database_management_systems/mysql/tips_and_tricks/how_to_check_mysql_version_number.php) |
|
Thank you for reference to the tech info page. This is what I found at Servage.net: MySQL Web server |
|
I suspect this to be an expression evaluation issue - as the expression causing the problem Unfortunately I cannot reproduce this issue on my systems at the moment; I will nevertheless try to implement a fix for this in the next version. At the moment, to me the best fix seems to be to separate IP addresses and subnet blocks entirely into different tables, so that the checks can be separated and don't need to rely on short-circuit evaluation. I will let you know once the fix is available so that you can test it on your system; as I said above, I cannot reproduce it, so I would need your help in making sure that I have fixed it. Please note that it might take some time, as I am extremely busy at the moment with other things. I do expect to have something until the end of the year - please be patient! |
|
I would be happy to test the update whenever you're ready. |
codeling
changed the title
codeling
changed the title
|
This might be fixed now. Could you test by applying the changes from here: |
|
@pintobuck The new release is available, it should address this issue: https://github.com/codeling/bfstop/releases/tag/1.4.1 Please comment here or open a new issue if you should still encounter any problems with that new version! |
|
I installed bfstop release tag 1.4.1 on my website on the shared hosting service at Servage.net, and everything is working fine. Thank you for providing the fix. |
|
Glad to hear that it works for you now! |
|
Hello, this error message returned again: Info: I previously upgraded to PHP 7.0. bfstop info: Server & Joomla Info: On another website with identical setup, I could not login as admin due to invalid security token. I don't know if that was related to bfstop, but the problem went away after I disabled bfstop via tbl_extensions. |
So it was working for a while with 1.4.1 and now has stopped working again? Anything in the bfstop logs ? Have you tried entering any IP address in the backend before with version 1.4.1?
That is very strange. I have not seen any other reports of this yet, and bfstop doesn't read, set or modify any security tokens... |
Can you help me understand this? Thank you.
This is the BFStop message on the website's home page:
1690 BIGINT UNSIGNED value is out of range in '((1 << (32 - substr('176.31.149.121',(locate('/','176.31.149.121') + 1),(length('176.31.149.121') - locate('/','176.31.149.121'))))) - 1)' SQL=SELECT id, ipaddress, crdate, duration FROM #__bfstop_bannedip b WHERE (ipaddress='109.163.234.8' OR (LENGTH(ipaddress) <= 18 AND LOCATE('/', ipaddress) != 0 AND (INET_ATON('109.163.234.8') & ~((1 << (32 - SUBSTR(ipaddress, LOCATE("/", ipaddress)+1, LENGTH(ipaddress)-LOCATE("/", ipaddress))))-1)) = (INET_ATON(SUBSTR(ipaddress, 1, LOCATE("/", ipaddress)-1)) & ~((1 << (32 - SUBSTR(ipaddress, LOCATE("/", ipaddress)+1, LENGTH(ipaddress)-LOCATE("/", ipaddress))))-1)))) AND (b.duration=0 OR DATE_ADD(b.crdate, INTERVAL b.duration MINUTE) >= '2016-10-08 20:45:23') AND NOT EXISTS (SELECT 1 FROM #__bfstop_unblock u WHERE b.id = u.block_id)
The text was updated successfully, but these errors were encountered: