FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » INSERTions into ses table for unknown users (Fantom sessions?)
Show: Today's Messages :: Unread Messages :: Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
INSERTions into ses table for unknown users [message #168060] Tue, 08 January 2013 12:00 Go to next message
San ??????? is currently offline  San ???????
Messages: 4
Registered: January 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user

Some time ago I discovered high load on my site server system caused by MySQL instance (about 50% of CPU time). I checked httpd load and found nothing serious (about 0.2 req/sec). Then I enabled query logging in MySQL and got lot of following lines:

...
1 Query       INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('da44744b0744e7182e2d8e21bb2b4063', 1357649603, '', 2001593538)
1 Query       INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('517bf2b9b646c2e48dbc28f996941b15', 1357649603, '', 2053834729)
1 Query       INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('ecb78d35baa48deec43abf7d649ea7eb', 1357649603, '', 2055756004)
...


I checked users table against that IDs (user_id above) and found nothing - users table has no such IDs at all.

Is it normal? If no then how is that possible and what should I do to stop that?

Forum version 3.0.1, php version 5.3.17, MySQL version 5.0.84, server OS - Slackware Linux 13.0.
Re: INSERTions into ses table for unknown users [message #168061 is a reply to message #168060] Tue, 08 January 2013 13:08 Go to previous messageGo to next message
Marticus   United States
Messages: 272
Registered: June 2002
Karma: 1
Senior Member
add to buddy list
ignore all messages by this user
Have you encountered this in the latest release?
Re: INSERTions into ses table for unknown users [message #168062 is a reply to message #168061] Tue, 08 January 2013 15:59 Go to previous messageGo to next message
San ??????? is currently offline  San ???????
Messages: 4
Registered: January 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user

Moving between releases is not easy for me so I should be guaranteed that it helps.
Re: INSERTions into ses table for unknown users [message #168063 is a reply to message #168062] Tue, 08 January 2013 20:33 Go to previous messageGo to next message
San ??????? is currently offline  San ???????
Messages: 4
Registered: January 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user

It seems like I found a cause of the problem. There is session checking in index.php on every request and if client has no session cookie it created (for anonymous users too, in ses_anon_make()). The last could be used for DoS attack if client ignores forum cookie - that is why I'm having a lot of new lines in ses table for non-existing accounts. The code (from ses_anon_make()) gives me no chance in this case:

do {
    $uid = 2000000000 + mt_rand(1, 147483647);
    $ses_id = md5($uid . __request_timestamp__ . getmypid());
} while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid(). "', ".$uid.')', $ef, 1)));


Cyclic INSERTions to DB to get ID just brilliant. Smile For crackers, of course... For example, my forum has about 6000 registered accounts and only few of them are really active, but my sesssion table file (MyISAM) takes about 2 GBytes on disk now and grows quickly.
Re: INSERTions into ses table for unknown users [message #168064 is a reply to message #168063] Tue, 08 January 2013 21:14 Go to previous messageGo to next message
San ??????? is currently offline  San ???????
Messages: 4
Registered: January 2013
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user

I applied following quick&dirty hack to prevent my site from that kind of attacks:

306c306
<       do {
---
>       /* do { */
307a308
>               $id = $uid;
309c310
<       } while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid()."', ".$uid.')', $ef, 1)));
---
>       /* } while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid()."', ".$uid.')', $ef, 1))); */


The problem is that ses_anon_make() declared in more than one place. Strange code organization, yes...
Message by NeXuS is ignored  [reveal message]  [reveal all messages by NeXuS]  [stop ignoring this user] Go to previous messageGo to next message
Message by NeXuS is ignored  [reveal message]  [reveal all messages by NeXuS]  [stop ignoring this user] Go to previous messageGo to next message
Message by NeXuS is ignored  [reveal message]  [reveal all messages by NeXuS]  [stop ignoring this user] Go to previous message
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: CKEditor conflicts with default formatting tools
Next Topic: Censorship bug
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 28 05:58:26 EST 2021

Total time taken to generate the page: 0.00837 seconds