Blesta Addons Posted August 22, 2017 Report Posted August 22, 2017 in one of blesta installation , we have noticed that the client id incrementation has been changed from order to a higher number . the client IDs was 4721, 4722 .... 4730 , then it was moved directly 11784 ... then 117845, 11786 .... how this can happen? blesta? mysql issue? Quote
0 Paul Posted August 22, 2017 Report Posted August 22, 2017 I've seen that happen due to Pen Testing. A malicious user may be running penetration tests on your order form. The creation of a client account fails, but a transaction is created and rolled back in MySQL. If a transaction is rolled back, the auto increment ID still cannot be used again. (See https://bugs.mysql.com/bug.php?id=6714, though not a bug as indicated by the comments) So, you should check your web server logs and/or block any attackers with mod_security or firewall rules. Quote
0 Tyson Posted August 22, 2017 Report Posted August 22, 2017 It sounds like someone may have been trying to create thousands of accounts in Blesta from the order form. Creating a client happens in a database transaction, but when that transaction is rolled back the records will not exist in the database, but the auto-increment primary keys will still increase. Quote
0 Blesta Addons Posted August 22, 2017 Author Report Posted August 22, 2017 I have noticed that the recaptcha is not shown in the registration form, from admin side is enabled . i should investigate why is not showing . any mod_security rule to block such attach, i don't use any mod security rule as the only website in the server if blesta. EDIT: captcha is showing well in any order form type, unless the registration client type , the recaptcha is not shown !!! i have found that the captcha was disabled from the client registration template . Quote
0 Paul Posted August 23, 2017 Report Posted August 23, 2017 For mod_security, there are some popular rulesets you can use that do a pretty good job o f blocking things across the board. I'd suggest watching it to make sure there are no false positives for a little while though. http://modsecurity.org/rules.html Quote
0 Amit Kumar Mishra Posted October 2, 2018 Report Posted October 2, 2018 just wondering why not client id is set to the mysql autoincremented id this may prevent it from happening as for multicompany, you may still have the present autoincrement value to be set as client id or may be fetch client id from the incremented mysql value like get the present id and set it as the client id not sure if this will be a big task or some small patch may the coders reply on this Quote
0 Tyson Posted October 2, 2018 Report Posted October 2, 2018 The client ID already is the auto-increment ID. That value increments every time a record is added, whether it was apart of a failed transaction or not. activa 1 Quote
Question
Blesta Addons
in one of blesta installation , we have noticed that the client id incrementation has been changed from order to a higher number .
the client IDs was 4721, 4722 .... 4730 , then it was moved directly 11784 ... then 117845, 11786 ....
how this can happen? blesta? mysql issue?
6 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.