Closed jlopp closed 2 years ago
This is something interesting. I did not find the log processing ... pageviews
in the code base, also the data record of yours does not match the pageviews
table definition. Do you mind include the version of your fathom instance, as well as the corresponding column name of that record?
Just to have it written:
This is imho not a real SQL Injection possibility. It is more a "Trusted User Input" Issues where it was easy to inject a custom ID however, a SQL Injection wouldn't be possible with it.
We recently noticed that the metrics on our fathom instance had shot up by several orders of magnitude despite our traffic remaining fairly steady. From looking at the fathom logs we see a lot of:
msg="processing 5000 pageviews"
Which should never happen given the low volume traffic of our site. While we haven't reproduced the cause, we believe someone is able to trigger this by sending malformed requests to fathom; we see errors being logged such as:
We see a record in our "pageviews" table that looks like this:
('jjjjjjj${123456}jjjjjjj<%=123','https://keys.casa','/',0,0,0,1,'https://store.casa/pay-with-bitcoin-ethereum-litecoin-crypto/',0,'2020-04-27 23:12:11','AMBTH',0)
And suspect that SQL injection may be possible via the referer