Backend comments are not showing

[Razziaftab]

Spam email attack with some JavaScript and blind SQL injection method, afterwards, backend comments are not showing.

On the backend panel, the error is "Cannot read properties of undefined (reading 'dispatch')".

I deleted the comments from the content folder, and now it's working fine, but how can I deal with this using the plugin in the future?

Kirby: 3.10.0 Plugin: 1.11.1

Now I'm trying to change the version from 1.11.1 to 1.13.2, but in the backend panel, the comments list and details are not showing properly. (HTML and CSS need to adjust). Can you please guide me.

[mauricerenck]

Do you still have that spam comment and can post it here as code snippet or send me directly? This would be a huge help, so I can prevent things like that.

Please be aware, that version 1.13.0 is a release updating to kirby 4, so this is probably causing display issues with kirby 3. This should have been a breaking change, I guess I messed that up.

[Razziaftab]

author: lxbfYeaa avatar: > https://www.gravatar.com/avatar/d9d7c6d159bb61f3614df3f0f22975bc authorurl: http://www.example.com kommenttype: KOMMENT quote: "1" komment: '555*if(now()=sysdate(),sleep(15),0)' source: > http://www.example.com target: > http://www.example.com mentionof: "1" property: KOMMENT published: 2024-01-29 00:50:00 status: 'false' verified: 'false' id: 7rb0185f6d4d90f6919953dffe1880po spamlevel: 100

komment: "5550'XOR(555*if(now()=sysdate(),sleep(15),0))XOR'Z"

komment: -1" OR 2+320-320-1=0+0+0+1 --

komment: "555se1LqR5o')) OR 284=(SELECT 284 FROM PG_SLEEP(15))--"

komment: '555*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)'

This is the spam comment I copied from content folder. The first is the entire structure, whereas the others are merely comments containing distinct vulnerable code. So, you can prevent these type of codes.

It's mean that version 1.13.0 is no longer compatible with Kirby 3?

[mauricerenck]

Thank you for the samples. Most of this shouldn't do harm, as tags are removed by the plugin and the content never is executed in any way. Also not stored in a database right now. But I will take this and play around and see if I can break the plugin to check if I missed something. Also good to see, that the plugin detected it as spam.

Version 1.13.x will work with K3. The problem is the panel view which uses css variables provided by kirby and those changed, that's probably why it looks broken. I'll have a look how I can fix that, so that it works with both versions. Same for some JS stuff. In the meantime you could use the page section https://github.com/mauricerenck/komments/blob/main/docs/panel.md#adding-komments-to-your-panel-blueprint to moderate comments on page level.

[Razziaftab]

Yes, plugin detected it as spam but somehow the backend was broke. On the backend panel, the error was Cannot read properties of undefined (reading 'dispatch')

I already disabled that using the page section.

[Razziaftab]

@mauricerenck Have you investigated this issue? Could you please fix it? I have temporarily disabled the plugin, but I need to re-enable it while I wait for this bug to be fixed.

If you do not see any problems with the above comment code, please provide me with your email address or other information so that I can send the entire file to you privately. On GitHub, I cannot message you privately.

[mauricerenck]

I looked into it. The sample comments you provided don't do any harm to Kirby or the plugin. As no code is executed at any point, this shouldn't be a problem.

Making version 1.13 compatible with both Kirby3 and 4 is a bit of a challenge and will take some time. Please use the prior version until I got a solution for that. You can find my email address here: https://maurice-renck.de/en/impressum

[mauricerenck]

As I got no more feedback I will close this issue. If the problem comes up again, feel free to re-open it.