Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19886

Brute Force Attack - XWikiLogin is executing create table statements on PostgreSQL

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      On Fr. 2022-06-24 a brute force attack has been performed on our XWiki 13.10.6 instance.
      Inbetween 16:33 (CEST) and 17:56 (CEST) 184000+ requests have been reported to logs - xwiki.log is ~ 3GB.

      Plenty of POST requests to /bin/loginsubmit/XWiki/XWikiLogin result in XWiki executing DDL create table statements in the PostgreSQL database.

      access.log

      141.113.97.246 "88.99.125.2" - - 2022-06-24T16:48:55+0200 POST "www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin" 403 17208 "https://www.faplis.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36  CIVAI" 1061 17538
...
141.113.97.247 "88.99.125.2" - - 2022-06-24T16:48:56+0200 POST "www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin" 403 16919 "https://www.faplis.de/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36  CIVAI" 974 17249

      System out/err:

      Jun 24 16:48:55 sedcafap0150 sh[17010]: 2022-06-24 16:48:55,420 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login [0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z]
Jun 24 16:48:55 sedcafap0150 sh[17010]: 2022-06-24 16:48:55,928 [http-nio-8080-exec-7 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login [(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/]
Jun 24 16:48:56 sedcafap0150 sh[17010]: 2022-06-24 16:48:56,488 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] ERROR c.x.x.i.s.h.HibernateStore     - Error executing DDL "create table 1waitfordelay'0.activitystream_events (ase_eventid varchar(48) not null, ase_requestid varchar(48), ase_stream varchar(768), ase_date timestamp, ase_priority int4, ase_type varchar(768), ase_application varchar(768), ase_user varchar(768), ase_wiki varchar(255), ase_space varchar(768), ase_page varchar(768), ase_hidden boolean, ase_url text, ase_title text, ase_body text, ase_version varchar(30), ase_param1 text, ase_param2 text, ase_param3 text, ase_param4 text, ase_param5 text, primary key (ase_eventid))" via JDBC Statement
Jun 24 16:48:56 sedcafap0150 sh[17010]: org.hibernate.tool.schema.spi.CommandAcceptanceException: Error executing DDL "create table 1waitfordelay'0.activitystream_events (ase_eventid varchar(48) not null, ase_requestid varchar(48), ase_stream varchar(768), ase_date timestamp, ase_priority int4, ase_type varchar(768), ase_application varchar(768), ase_user varchar(768), ase_wiki varchar(255), ase_space varchar(768), ase_page varchar(768), ase_hidden boolean, ase_url text, ase_title text, ase_body text, ase_version varchar(30), ase_param1 text, ase_param2 text, ase_param3 text, ase_param4 text, ase_param5 text, primary key (ase_eventid))" via JDBC Statement
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.exec.GenerationTargetToDatabase.accept(GenerationTargetToDatabase.java:67)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.applySqlString(AbstractSchemaMigrator.java:563)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.applySqlStrings(AbstractSchemaMigrator.java:508)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.createTable(AbstractSchemaMigrator.java:278)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.GroupedSchemaMigratorImpl.performTablesMigration(GroupedSchemaMigratorImpl.java:71)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.performMigration(AbstractSchemaMigrator.java:208)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.doMigration(AbstractSchemaMigrator.java:115)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.hbm2ddl.SchemaUpdate.execute(SchemaUpdate.java:94)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.hbm2ddl.SchemaUpdate.execute(SchemaUpdate.java:63)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.updateDatabase(HibernateStore.java:1125)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.updateDatabase(HibernateStore.java:992)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.updateDatabase(HibernateStore.java:1159)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.XWikiHibernateBaseStore.updateSchema(XWikiHibernateBaseStore.java:264)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.hibernate.HibernateDataMigrationManager.hibernateShemaUpdate(HibernateDataMigrationManager.java:208)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.hibernate.HibernateDataMigrationManager.updateSchema(HibernateDataMigrationManager.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.hibernate.HibernateDataMigrationManager.initializeEmptyDB(HibernateDataMigrationManager.java:158)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.AbstractDataMigrationManager.initNewDB(AbstractDataMigrationManager.java:446)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.AbstractDataMigrationManager.initializeCurrentDatabase(AbstractDataMigrationManager.java:551)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.migration.AbstractDataMigrationManager.checkDatabase(AbstractDataMigrationManager.java:534)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.setWiki(HibernateStore.java:703)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.setWiki(HibernateStore.java:662)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.beginTransaction(HibernateStore.java:853)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.internal.store.hibernate.HibernateStore.beginTransaction(HibernateStore.java:786)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.XWikiHibernateBaseStore.beginTransaction(XWikiHibernateBaseStore.java:531)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.XWikiHibernateStore.search(XWikiHibernateStore.java:2584)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.XWikiHibernateStore.search(XWikiHibernateStore.java:2562)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.store.XWikiCacheStore.search(XWikiCacheStore.java:690)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.XWiki.search(XWiki.java:2463)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.findUser(XWikiAuthServiceImpl.java:466)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.authenticate(XWikiAuthServiceImpl.java:414)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:297)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:208)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:190)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4336)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4359)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5880)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:502)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:292)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:115)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at java.base/java.lang.Thread.run(Unknown Source)
Jun 24 16:48:56 sedcafap0150 sh[17010]: Caused by: org.postgresql.util.PSQLException: Unterminated string literal started at position 26 in SQL create table 1waitfordelay'0.activitystream_events (ase_eventid varchar(48) not null, ase_requestid varchar(48), ase_stream varchar(768), ase_date timestamp, ase_priority int4, ase_type varchar(768), ase_application varchar(768), ase_user varchar(768), ase_wiki varchar(255), ase_space varchar(768), ase_page varchar(768), ase_hidden boolean, ase_url text, ase_title text, ase_body text, ase_version varchar(30), ase_param1 text, ase_param2 text, ase_param3 text, ase_param4 text, ase_param5 text, primary key (ase_eventid)). Expected  char
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.core.Parser.checkParsePosition(Parser.java:1305)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.core.Parser.parseSql(Parser.java:1212)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.core.Parser.replaceProcessing(Parser.java:1156)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.core.CachedQueryCreateAction.create(CachedQueryCreateAction.java:43)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.core.QueryExecutorBase.createQueryByKey(QueryExecutorBase.java:337)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.java:300)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java:284)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:279)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.commons.dbcp2.DelegatingStatement.execute(DelegatingStatement.java:193)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.apache.commons.dbcp2.DelegatingStatement.execute(DelegatingStatement.java:193)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.exec.GenerationTargetToDatabase.accept(GenerationTargetToDatabase.java:54)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         ... 82 common frames omitted
Jun 24 16:48:56 sedcafap0150 sh[17010]: 2022-06-24 16:48:56,488 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] ERROR c.x.x.i.s.h.HibernateStore     - Error executing DDL "create table 1waitfordelay'0.activitystream_events_status (ases_eventid varchar(48) not null, ases_entityid varchar(720) not null, ases_read boolean, primary key (ases_eventid, ases_entityid))" via JDBC Statement
Jun 24 16:48:56 sedcafap0150 sh[17010]: org.hibernate.tool.schema.spi.CommandAcceptanceException: Error executing DDL "create table 1waitfordelay'0.activitystream_events_status (ases_eventid varchar(48) not null, ases_entityid varchar(720) not null, ases_read boolean, primary key (ases_eventid, ases_entityid))" via JDBC Statement
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.exec.GenerationTargetToDatabase.accept(GenerationTargetToDatabase.java:67)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.applySqlString(AbstractSchemaMigrator.java:563)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.applySqlStrings(AbstractSchemaMigrator.java:508)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.createTable(AbstractSchemaMigrator.java:278)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.GroupedSchemaMigratorImpl.performTablesMigration(GroupedSchemaMigratorImpl.java:71)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.performMigration(AbstractSchemaMigrator.java:208)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.schema.internal.AbstractSchemaMigrator.doMigration(AbstractSchemaMigrator.java:115)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.hbm2ddl.SchemaUpdate.execute(SchemaUpdate.java:94)
Jun 24 16:48:56 sedcafap0150 sh[17010]:         at org.hibernate.tool.hbm2ddl.SchemaUpdate.execute(SchemaUpdate.java:63)

      xwiki.log

      2022-06-24 16:48:54,373 [http-nio-8080-exec-11 - http://www.faplis.de/wiki/bin/get/Help/Applications/Contributors/Charlie%20Chaplin?data=children&exclusions=document:xwiki:Help.WebHome&id=1%00%C0%A7%C0%A2%252527%252522&outputSyntax=plain&sheet=XWiki.DocumentTree&showAttachments=false&showTranslations=false] ERROR o.a.v.rendering                - Left side ($childNodeIds.size()) of comparison operation has null value at xwiki:XWiki.DocumentTree[line 153, column 29]
2022-06-24 16:48:54,480 [http-nio-8080-exec-7 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login [0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z]
2022-06-24 16:48:54,635 [http-nio-8080-exec-7 - http://www.faplis.de/wiki/bin/get/Help/Applications/Contributors/Charlie%20Chaplin?data=children&exclusions=document:xwiki:Help.WebHome&id=%40%40gon8g&outputSyntax=plain&sheet=XWiki.DocumentTree&showAttachments=false&showTranslations=false] ERROR o.a.v.rendering                - Left side ($childNodeIds.size()) of comparison operation has null value at xwiki:XWiki.DocumentTree[line 153, column 29]
2022-06-24 16:48:55,420 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login [0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z]
2022-06-24 16:48:55,928 [http-nio-8080-exec-7 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login [(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/]
2022-06-24 16:48:56,408 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] INFO  .HibernateDataMigrationManager - Checking Hibernate mapping and updating schema if needed for wiki [1waitfordelay'0]
2022-06-24 16:48:56,488 [http-nio-8080-exec-16 - http://www.faplis.de/wiki/bin/loginsubmit/XWiki/XWikiLogin] ERROR c.x.x.i.s.h.HibernateStore     - Error executing DDL "create table 1waitfordelay'0.activitystream_events (ase_eventid varchar(48) not null, ase_requestid varchar(48), ase_stream varchar(768), ase_date timestamp, ase_priority int4, ase_type varchar(768), ase_application varchar(768), ase_user varchar(768), ase_wiki varchar(255), ase_space varchar(768), ase_page varchar(768), ase_hidden boolean, ase_url text, ase_title text, ase_body text, ase_version varchar(30), ase_param1 text, ase_param2 text, ase_param3 text, ase_param4 text, ase_param5 text, primary key (ase_eventid))" via JDBC Statement
org.hibernate.tool.schema.spi.CommandAcceptanceException: Error executing DDL "create table 1waitfordelay'0.activitystream_events (ase_eventid varchar(48) not null, ase_requestid varchar(48), ase_stream varchar(768), ase_date timestamp, ase_priority int4, ase_type varchar(768), ase_application varchar(768), ase_user varchar(768), ase_wiki varchar(255), ase_space varchar(768), ase_page varchar(768), ase_hidden boolean, ase_url text, ase_title text, ase_body text, ase_version varchar(30), ase_param1 text, ase_param2 text, ase_param3 text, ase_param4 text, ase_param5 text, primary key (ase_eventid))" via JDBC Statement
        at org.hibernate.tool.schema.internal.exec.GenerationTargetToDatabase.accept(GenerationTargetToDatabase.java:67)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19888 Brute Force Attack - GET request to liveDate/sources/liveTable is executing create index statement

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              bbartke Bernd Bartke
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: