Notwithstanding the general recommendation of upgrading to the latest build, does the recent Lizamoon exploits affect ExpressionEngine, including older version 1.6.x of the software?
This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
April 03, 2011 5:28pm
Subscribe [2]#1 / Apr 03, 2011 5:28pm
Notwithstanding the general recommendation of upgrading to the latest build, does the recent Lizamoon exploits affect ExpressionEngine, including older version 1.6.x of the software?
#2 / Apr 03, 2011 6:43pm
What I’ve read so far, and there’s a good bit of info at WebSense, is that this is a SQL injection, meaning that data gets passed into an SQL server via a web app that doesn’t filter data properly. As ExpressionEngine doesn’t use Microsoft SQL servers, instead relying on MySQL, it doesn’t appear that the Lizamoon injection can infect MySQL, hence EE sites should not be compromised.
However, that doesn’t answer the question about how well EE can filter injection attacks, other than Lizamoon, or what would happen if Lizamoon would morph into having the ability to infect MySQL. I’ll leave the answer to that question for EE to answer. I have no knowledge in this area.
As I build and manage Mac OS X Servers, and run a variety of sites (including a few ExpressionEngine installs) on my own server hardware/software platforms, I was very interested to know if Lizamoon could affect me, from a system admin perspective. I regularly have to inspect my Apache, MySQL and PHP installs and PhpMyAdmin accounts to detect and prevent attacks. Which, if you run an open ssh port i.e, results in a continual barrage of attacks on MySQL.
#3 / Apr 04, 2011 3:31pm
Thanks for the assist, wildrock.
Hi, PJ. ExpressionEngine filters against SQL injection. If you have evidence that you can get an injection past the filters, please email details to .(JavaScript must be enabled to view this email address)
As wildrock mentioned, this particular exploit is for Microsoft SQL Server, and shouldn’t effect EE at all.
#4 / Apr 04, 2011 3:45pm
Thank you, kindly.
I was a bit confused about the news reporting in that some reports mentioned specifically Microsoft SQL but others did not specify this. Thus, it left me wondering if MySQL was also affected. I asked the question because my hosting company took the unusual step of emailing its customers (including me) because I was one of the customers who installed a CMS software that used SQL.
Thanks for the assist, wildrock.
Hi, PJ. ExpressionEngine filters against SQL injection. If you have evidence that you can get an injection past the filters, please email details to .(JavaScript must be enabled to view this email address)
As wildrock mentioned, this particular exploit is for Microsoft SQL Server, and shouldn’t effect EE at all.
#5 / Apr 04, 2011 4:15pm
Better to be safe than sorry. 😊 I’m going to go ahead and close this particular thread, but if you need to, don’t hesitate to post again.